Getresponse.com vulnerable to subdomain takeover

Question

Getresponse.com vulnerable to subdomain takeover

darkpills opened this issue 3 years ago · comments

darkpills commented 3 years ago

Service name

GetResponse - https://www.getresponse.com/

Vulnerable domain which can be takeover

Fingerprint: "Cette landing page n'est plus disponible" (FR)

Steps to takeover

Register an account on https://www.getresponse.com/
Create a new domain : My Account > Manage account > Landing page domain > Add domain: declare the victim subdomain to takeover: sub.victim.com
Do a "dig sub.victim.com" to get the CNAME. There should be a CNAME for any of the getresponse tool domains: gr8.com, subscribemenow.com, getresponsepages.com
Create a new landing page that will be displayed. In the Edit settings > landging page url settings > put the subdomain you saw previously like: test.gr8.com to make your landing page response to the sub.victim.com

Moamen Gomaa · Answer 1 · Fri Dec 31 2021 04:55:34 GMT+0800 (China Standard Time)

Hmmm, not vulnerable now.
30/12/2021

darkpills · Answer 2 · Sat Jan 01 2022 00:24:06 GMT+0800 (China Standard Time)

I remember I could not make the association between the vulnerable domain with the admin interface, I had to open a ticket to the support to make them associate the domain even if it is not associated with any customer.

@gdattacker · Answer 3 · Wed Aug 03 2022 03:05:09 GMT+0800 (China Standard Time)

working i have tested

lovepentest · Answer 4 · Fri Apr 07 2023 02:12:35 GMT+0800 (China Standard Time)

Not working now

VictimV59 · Answer 5 · Wed Apr 12 2023 22:35:16 GMT+0800 (China Standard Time)

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

@gdattacker · Answer 6 · Wed Apr 12 2023 22:41:09 GMT+0800 (China Standard Time)

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

It simply means it's already claimed by org or someone but the default page is not changed.

VictimV59 · Answer 7 · Wed Apr 12 2023 22:54:13 GMT+0800 (China Standard Time)

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

@gdattacker · Answer 8 · Wed Apr 12 2023 22:54:59 GMT+0800 (China Standard Time)

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

Yes

VictimV59 · Answer 9 · Wed Apr 12 2023 22:58:23 GMT+0800 (China Standard Time)

Thanks for explaining😄