Subdomain Takeover via Branch

[hussain0x3c]

Service name

Branch - https://branch.io

Proof

Steps to Reproduce

1 - Sign up in branch.io. 2 - After login in go to the configuration page. 3 - Set the vulnerable domain in the link domain. 4 - Create your link from the Universal Ads page.

Documentation

1- There's no proof page, but the subdomain redirects you to https://branch.io/what-is-applink/. 2- The subdomain is usually called app or SMS.

[sumgr0]

Can you share the fingerprints for identification?

[hussain0x3c]

Can you share the fingerprints for identification?

share.vulnerable.com. 300 IN CNAME custom.bnc.lt. custom.bnc.lt. 3 IN A 52.52.224.167 custom.bnc.lt. 3 IN A 52.53.67.13 custom.bnc.lt. 3 IN A 52.52.150.189 custom.bnc.lt. 3 IN A 13.56.61.228 custom.bnc.lt. 3 IN A 13.57.114.155 custom.bnc.lt. 3 IN A 50.18.199.4 custom.bnc.lt. 3 IN A 52.8.236.92 custom.bnc.lt. 3 IN A 52.52.244.71

[sumgr0]

Thanks...

Does it have an error fingerprint as well for the webpage or DNS records?

[hussain0x3c]

@sumgr0 No,

There's no proof page, but the subdomain redirects you to https://branch.io/what-is-applink/.

[sumgr0]

Cool.. Thanks

[akbruster]

@hussain0x3c i am having problem with last step that is no.4 create your link from the universal ads page. can you reach me on twitter https://twitter.com/ak_bruster

[achabi-ismail]

sub.domain.com has final CNAME equal to thirdparty.bnc.lt., but it must be custom.bnc.lt.