search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.59k stars 690 forks source link

Unbounce is not vulnerable for subdomain takeover. #11

Closed smiegles closed 3 years ago

smiegles commented 6 years ago

The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.

https://github.com/EdOverflow/can-i-take-over-xyz#unbounce

diwsec commented 3 years ago

all the best

PRAZPC commented 3 years ago

Screenshot_2021-05-13_10-32-16_LI (2)

by any chance it is possible to take over this subdomain .. i dont want to register my credit card to create an account and try

0xElmalky commented 3 years ago

No i think it 's not possible to claim it .

pdelteil commented 3 years ago

Everytime you find an long string identifier, chances you can take the domain are very low.

On Fri, 14 May 2021, 06:01 0xElmalky, @.***> wrote:

No i think it 's not possible to claim it .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/11#issuecomment-841145104, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE2OS75WBWO3XAHHWDAIEI3TNTYIJANCNFSM4EX2LSXA .

PRAZPC commented 3 years ago

Screenshot_2021-05-16_16-01-42_LI is takeover possible here

creimer808 commented 3 years ago

can you bypass Unbounce's control by doing an NSLOOKUP and using the alias associated with the domain that Unbounce has blocked?

mohamed-faris commented 2 years ago

so Unbounce not a vuln ?

unf0rgvn commented 2 years ago

2022-01-20 00_02_27-Window

It's vulnerable?

Abhaysoft-inc commented 2 years ago

no bro

OVERPEY commented 1 year ago

is it still working ?

Mentorsejdiu commented 1 year ago

Does this still work, anyone ?

RamkrishnaSawant commented 1 year ago

Does this still work, anyone ?

no

fsocietyxzy commented 1 year ago

@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..! 😅 how you exploited i mean how takeover

dhtzs commented 1 year ago

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

xgt6op commented 1 year ago

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com    canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.196.95.178
Name: unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .

But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.195.98.178
Name: unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Hello, can you tell me the tool name I also have the same problem with this .Please

fsocietyxzy commented 1 year ago

Thank you

Sent from Outlook for Androidhttps://aka.ms/AAb9ysg

From: Sayan Chakraborty @.> Sent: Friday, January 20, 2023 9:14:44 AM To: EdOverflow/can-i-take-over-xyz @.> Cc: fsocietyxzy @.>; Comment @.> Subject: Re: [EdOverflow/can-i-take-over-xyz] Unbounce is not vulnerable for subdomain takeover. (#11)

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it .

But if the Cname Record Was Like this :

Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Hello, can you tell me the tool name I also have the same problem with this .Please

— Reply to this email directly, view it on GitHubhttps://github.com/EdOverflow/can-i-take-over-xyz/issues/11#issuecomment-1397965468, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A47PWBTRDZNJYB5GMI7JGCLWTIUNJANCNFSM4EX2LSXA. You are receiving this because you commented.Message ID: @.***>

francoataffarel commented 1 year ago

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

which command i can use to check this ?

muhammadahmad62 commented 1 year ago

dig subdomain.domain.com

muhammadahmad62 commented 1 year ago

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

muhammadahmad62 commented 1 year ago

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com  canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.196.95.178
Name:   unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it . But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com  canonical name = unbouncepages.com.
Name:   unbouncepages.com
Address: 18.195.98.178
Name:   unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Are you sure ?

Found a case just like you said and this is what I got

Screenshot from 2021-05-07 00-31-12

this is the same error I am facing, anybody knows if it is still possible to bypass it and take over?

dhtzs commented 1 year ago

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

There was no error, for me at least. I guess it was pure luck, I guess?

muhammadahmad62 commented 1 year ago

I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).

how you bypass the domain error?

There was no error, for me at least. I guess it was pure luck, I guess?

maybe, good for you. What about the txt record entry thing mentioned above, aren't we need to have access to the target's root domain for this? btw I just contacted the support team and they also provide me with an entry to add as Txt record, can I add this in any domain I owned?

xcapri commented 10 months ago

Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this

Non-authoritative answer:
Sub.Domain.com    canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.196.95.178
Name: unbouncepages.com
Address: 54.93.101.65

Is 100% Not Vulnerable And You Can't Claim it . But if the Cname Record Was Like this :

Non-authoritative answer:
Sub.Domain.com    canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.195.98.178
Name: unbouncepages.com
Address: 54.93.101.

it is 100% Vulnerable For Takeover And Congrats about the bounty 100

Hello, can you tell me the tool name I also have the same problem with this .Please

Yes you are right

Hi, is there any special indication other than cname, for example from the protocol whether SSL is available, error or not?

mohamadsharabi commented 10 months ago

still vulnerable ?

str0d commented 7 months ago

still vulnerable ?

Unfortunately not possible.

coj337 commented 6 months ago

It's still vulnerable but only as a rare edge case, I exploited a valid one a few days ago - see https://github.com/Stratus-Security/Subdominator/issues/1#issuecomment-1868153929

drealm-PsP commented 6 months ago

Hello @coj337 I recently saw on Unbounce account giving an 404 Status code. Could you please help me confirm if its vulnerable for subdomain takeover with your account? I don't have funds to purchase one. Thank you very much sir.

drealm-PsP commented 6 months ago

If it is, then well share the outcome. Am a bug bounty hunter by the way :)

Hunterdawn82 commented 2 months ago

I was able to add a domain but it says "Error Finding CNAME" How can i resolve this anyone?

drealm-PsP commented 2 months ago

Hello, even after when you add your domain, It is not vulnerable. Just shift your attention to something else.

pdelteil commented 2 months ago

Not true.

If you manage to add a custom domain then there's a complete subdomain take over.

Hunterdawn82 commented 1 month ago

Not true.

If you manage to add a custom domain then there's a complete subdomain take over.

Yeah i think so, it's possible, The domain was pointing at a random ip address while using dig command and when i can subzy it was vulnerable to unbounce subdomain takeover and also when i claimed the subdomain it got claimed but after that it was asking for a cname to go live i guess. So, if anyone knows how to do that please help

drealm-PsP commented 1 month ago

Ok. No challenge. I'll be glad to learn how you will do that. Thanks and regards