Saturday, October 10, 2015

Subdomain takeover in staging.wepay.com (Bug Bounty)

I found an "abandoned" subdomain of WePay that can be taken over, thus vulnerable to Subdomain takeover. I reported it to Wepay and fixed it after 2 hours (which is pretty fast). The vulnerable site was staging.wepay.com. If youre gonna visit that site, you will encounter an error saying "Unknown domain:staging.wepay.com" indicating that nobody owns that domain and anyone can take and register it to a hosting site. The CNAME/is pointing to Fastly.




Image:


Reward:

$100

7 comments:

  1. Hi,

    Nice finding. I have one doubt here

    1- How do we confirm whether in this case the domain WePay owns it or not OR its abandoned as in your POC.

    2- How to check CNAME/is pointing to which domain ?

    Appreciate your inputs on this.

    ReplyDelete
    Replies
    1. Hi there. You go to this site: http://mxtoolbox.org ... then enter the subdomain.. you will see the details there.. e.g. Pointing to Fastly... Now go to Fastly and try to see if the subdomain can be taken over (e.g. enter the cname ... bla bla)... The issue was fixed immediately by Wepay... Hope I helped you.. Thanks

      Delete
  2. hlw Dimitrovich,
    i want your help.

    ReplyDelete
  3. how can i check dat subdomain can be taken over or not. I have found some subdomains which are pointing to ......but m unable to check is it vulnerable or not.

    ReplyDelete
    Replies
    1. you go to mxtoolbox.com and check their MX/CNAME.

      Delete
  4. thanks 4 helping. can u provide images of mxtoolbox.com of checking cname.

    ReplyDelete