Unbounce is not vulnerable for subdomain takeover.

[smiegles]

The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.

https://github.com/EdOverflow/can-i-take-over-xyz#unbounce

[edeirme-zz]

Going through the hackerone report it seems that this instance of subdomain takeover was indeed an exploitation of a vulnerability on the Unbounce services. In the same report, both parties (researcher and Unbounce security team) confirm that the Unbounce vulnerability has been fixed. Unless there is another instance of subdomain takeover for Unbounce I'll agree with @smiegles that Unbounce's entry is a false-positive.

[rojan-rijal]

@edeirme , subdomain takeover with Unbounce is still possible. I confirmed this right now by creating a domain and then setting its CNAME to unbouncepages.com. This is what Unbounce asks its user to do. If you have a domain that is pointed to unbouncepages.com but does not look claimed, you can create a user account, add a PayPal or Credit Card and then add a custom domain. Once the custom domain is added and you publish a page, it should display the content in that domain.

[its0x08]

@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..! :sweat_smile:

[EdOverflow]

I think the main issue is the fact that we reference https://hackerone.com/reports/202767 in the Unbounce section which, as @smiegles pointed out, is not accurate and can no longer be exploited. We should remove that reference. Thank you for raising an issue, @smiegles.

[rosonsec]

Are you sure the takeover is still possible? I am getting this error message when I try to "Add a New Custom Domain":

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

[d55pak]

Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com

Any idea how we can now

[eraymitrani]

I don't think we can if someone has an unbounce account I can give you a link to test

[rojan-rijal]

@rosonsec @d55pak, Last I checked it was still possible. There might be some edge cases though for example, when I tested, I simply pointed my domain to Unbounces CNAME and see if it was vulnerable. In your case it seems like the domain was being used activity before and then removed from Unbounce. Unbounce might be blocking takeover on those types of domains but I am not sure yet. I will look into this further and update the ticket. Cheers!

[eraymitrani]

@rojan-rijal if you DM me on Twitter I can give you a previously used domain that is still pointing to a unbounce CNAME

[arbazkiraak]

• I have tried to takeover 10 subdomains which has following Fingerprint The requested URL was not found on this server.

Results of 10 subdomains are either:

Domain is already in use. ( or ) Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

• Looks like unbounce preventing us from takeovers which they have used their service previously.

👍

[EdOverflow]

Sorry, I have been extremely busy lately and have not had a chance to update the project. We determined that there is only one rare case where one can hijack a subdomain pointing to Unbounce and that is if the team never had a project in the first place. The likelihood of this being the case is so minute that I personally do not think we should claim that it is possible to hijack subdomains pointing towards Unbounce. Thank you to everyone who participated in this discussions here; it is an absolute pleasure seeing everyone working together like this. :)

[ak1t4]

Hey there, I was reading this thread and seems pretty interesting. Which is a subdomain takeover?

A subdomain takeover is posible when the attacker can claim an unclaimed domain name through an alias or canonical name (cname) pointing to unbouncepages.com. Some 3rd party services put filters to avoid this, like adding a random TXT record or hash or others methods to force and secure the DNS entries as unique per customer, which is NOT the case of unbouncepages. An attacker can claim a domain not claimed over unbouncepages.com. So, We have 3 scenarios when we want takeover a subdomain over unbounce:

1) 'Domain is already in use' (which means that the domain is claimed) 2) 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.] 3) Claim the domain (no errors: the domain is added to domains section correctly)

*The 3rd options is still available and works: so YES, unbouncepages is Vulnerable to Subdomain Takeover.

regards, @ak1t4

[m7mdharoun]

@EdOverflow @codingo Takeover via Unbounce is still Vulnerable as @ak1t4 said there is 3 cases .. I do a takeover last week and my friend do 1 takeover from unbounce less than month ago

[ak1t4]

;)

[m7mdharoun]

@ak1t4 They mentioned here this is Edge Case and in the main status Not vulnerable .. This Poc belong to the duplicate report which got duplicate after traiged and fixed :-(

[EdOverflow]

That awkward moment when you realise that you have left the target's hostname in the tab bar. :P

[m7mdharoun]

@EdOverflow By mistake :-D

but its fixed now and didn't Pay.

[ak1t4]

hahahaahah!!!

[heenarawal]

Hi, where I can find vulnerable domain sites because I tried for many one but not get it to perform subdomain takeover. Even search in google dork.

[m7mdharoun]

No bro there is an old Subdomains connected to Unbounce Services so Unbounce takeover is still exist.

[m7mdharoun]

Hi @vishnugadupudi as @ak1t4 said :

We have 3 scenarios when we want takeover a subdomain over unbounce: 1) 'Domain is already in use' (which means that the domain is claimed) 2) 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.] 3) Claim the domain (no errors: the domain is added to domains section correctly)

info.hacker.one is already in use and already has pages example : https://info.hacker.one/the-data-protection-officer/ https://info.hacker.one/2018-hacker-report/

This mean case (1) Domain is already in use' (which means that the domain is claimed)

So not possible to takeover it .

Kind Regards, Mohamed Haron.

[Vishnugadupudi]

@m7mdharoun :)

[Walidhossain010]

hello.guys. takeover is still possible???

[Sicks3c]

hello.guys. takeover is still possible???

I just tried today and it fails ....

[Walidhossain010]

yup.me too.seems it needs a bit of luck.

[m7mdharoun]

You can found Steps here and This is still vulnerable

https://www.youtube.com/watch?v=-znOxODC2QM

[shubham4500]

• I have tried to takeover 10 subdomains which has following Fingerprint The requested URL was not found on this server.

Results of 10 subdomains are either:

Domain is already in use. ( or ) Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

• Looks like unbounce preventing us from takeovers which they have used their service previously.

👍

exactly same errors

[m7mdharoun]

• I have tried to takeover 10 subdomains which has following Fingerprint The requested URL was not found on this server.

Results of 10 subdomains are either:

Domain is already in use. ( or ) Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.

• Looks like unbounce preventing us from takeovers which they have used their service previously.

👍

exactly same errors

You Just need Good Luck to find it but it still work ;)

[Walidhossain010]

thanks for the confirmation

[X-shadowt]

I just test it 3 minutes ago, it will need a little bit of social engineering to verify the deleted subdomain.

chat help:

verify the ownership by adding a txt record.

[MathiSurya]

@X-shadowt how to do verification for deleted subdomain?

[X-shadowt]

Can you please confirm which Unbounce account this domain is going to be added to? Thanks so much!

Here's how to add the record:

Login to your Domain provider's system and navigate to the DNS setup.
Create a new DNS record.
The record type will be TXT.
The host name can be left blank.
The text (or content, or value) should be "unbounce=357292‍ "
Save the changes.

Send me a reply once that's been done, I'll confirm everything, and we'll get finished up with verifying your domain!```

this is how you can do it

[shubham4500]

@X-shadowt how you added dns record :P

[zseano]

I noticed that social engineering was mentioned here. Social engineering is not acceptable when participating in bug bounty programs (unless stated), nor is it acceptable in any case. I'd suggest NOT social engineering the friendly team at Unbounce to bypass their verification steps. You may end up in legal trouble and for what? A bounty? Not worth it. If you feel that unbounces methods for proving you own a domain are not adequate and you can 'bypass' them, i'd send them a message to politely let them know. Work with them, not against them :)

Stay safe everyone. <3

[UBAMas]

Thank you very much @zseano for pointing this out for the community!

At Unbounce safekeeping our customers and their information within our ecosystem is of utmost importance. We believe in the mantra that no environment is 100% secure, and that upholding information security is an iterative effort and a process of continuous improvement. Aside from our own internal resources we also partner with third party security researchers and firms to perform approved and prescheduled external vulnerability scans and penetration tests against our environment.

We would like to stress that our Acceptable Use Policy (which is part of our Terms of Service), as well as those of our infrastructure hosting provider's, prohibit users, customers, and third parties from performing unapproved vulnerability tests/scans against our platform.

Currently, we do not have a formal bug bounty program in the traditional sense with monetary rewards; but it is something we are considering as we appreciate the work of security researchers like yourself. As such, and in the absence of a bug bounty program, we deem all unapproved tests/scans as unauthorized activities.

With that said, we completely support, and see the value in, sharing findings/PoCs online to educate others. However, in the event that you had unknowingly performed a test/scan against our platform, we ask that you remain committed to an ethical methodology in your approach. To this end, we ask that you report your findings to security@unbounce.com first, and that you kindly refrain from sharing your results externally until our engineers have had the time to assess what you have reported.

Thank you all very much. Please stay healthy and safe!

[EdOverflow]

Thank you for addressing this, @zseano & @UBAMas. I will add a note about this in the README for future contributors. 👍

[foysal1197]

Hello I found subdomain which is saying - The requested URL was not found on this server. I check the cname for that subdomain, but i didn't found any cname . Than i try to add this subdomain on unbounce . Its takes all the thing but when processing its still on configuration saying "Hang in there—we’re processing your domain!"
what should i do now

[prashant-jadon]

@foysal1197 I got the same response - The requested URL was not found on this server.

May I report it?

[m7mdharoun]

@foysal1197 I got the same response - The requested URL was not found on this server.

May I report it?

Sure No don't report until , you must be sure that you takeover this subdomain.

let's Take a small example :

Hackerone has subdomain called info.hacker.one This subdomain show you error The requested URL was not found on this server.

visit https://info.hacker.one/

But it works well in paths example :

visit https://info.hacker.one/2018-hacker-report/

Kind Regrads, Mohamed Haron.

[prashant-jadon]

I searched the whole internet with dork and every tool but there is sub file like test.domain.com/test.php . It only have single domain that is test.domain.com which is showing error that requested url not found on this server.

What should I do? @m7mdharoun

On Wed, 1 Jul 2020, 10:26 pm m7mdharoun, notifications@github.com wrote:

@foysal1197 https://github.com/foysal1197 I got the same response - The requested URL was not found on this server.

May I report it?

Sure No don't report until , you must be sure that you takeover this subdomain. let's Take a small example :

Hackerone has subdomain called info.hacker.one This subdomain show you error The requested URL was not found on this server.

visit https://info.hacker.one/

But it works well in paths example :

visit https://info.hacker.one/2018-hacker-report/

Kind Regrads, Mohamed Haron.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/11#issuecomment-652535542, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQDTYIBYO4EYOARIK466KS3RZNTFNANCNFSM4EX2LSXA .

[manasmbellani]

@Bplotka @foysal1197 Did you ever manage to perform subdomain takeover for Unbounce? I don't think it will be possible now until you interact with the unbounce team, as per the link here: https://documentation.unbounce.com/hc/en-us/articles/360000851786

[smiegles]

@UBAMas explained that you shouldn't be trying this. Closing the issue.

[MohamedFci12]

Hi @m7mdharoun I still have the same error The requested URL was not found on this server.

how can i exploit it?

[Elsfa7-110]

not vulnerable

[Dev-Ayush-Mayank]

Is it still possible in 2020 to takeover subdomain in unbounce.com with this "The requested URL was not found on this server." error? Anyone ??

[X-shadowt]

@ayushmayank no it's not bro

[Dev-Ayush-Mayank]

@X-shadowt yah I was thinking that too... thanks

[0xElmalky]

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com  canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.196.95.178
Name:   unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .

But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.195.98.178
Name:   unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty :100:

[pdelteil]

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com    canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.196.95.178
Name: unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .

But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.195.98.178
Name: unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Are you sure ?

Found a case just like you said and this is what I got

[diwsec]

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com  canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.196.95.178
Name:   unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it . But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.195.98.178
Name:   unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Are you sure ?

Found a case just like you said and this is what I got

@pdelteil ur perfectly right, while i was testing for takeovers i encountered the same issue

if the subdomain is pointed this way then its 100% not a subdomain takeover

and i tried to claim it:) this was the result!