LaunchRock offers service to create marketing pages.
Proof
I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.
Documentation
String to determine subdomain takeover:
It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.
The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:
Service name
LaunchRock offers service to create marketing pages.
Proof
I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.
Documentation
String to determine subdomain takeover:
The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:
If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel
Ability to inject custom JS
Yes, we can add arbitrary Javascript through control panel.
Last checked date
Dec 2018