Uptimerobot.com Custom Domain Takeover

Question

Uptimerobot.com Custom Domain Takeover

0xAsuka opened this issue 6 years ago · comments

Kururu Sumeragi commented 6 years ago

Uptimerobot.com

There is no additional verification for add custom domain. just add cname record and pointing to stats.uptimerobot.com

https://exploit.linuxsec.org/uptimerobot-com-custom-domain-subdomain-takeover/

sorry it is indonesian language. but i add some screenshot so i think you will understand.

@bluedangerforyou David Enos · Answer 1 · Sat Nov 10 2018 10:52:22 GMT+0800 (China Standard Time)

What is the error on browser? Page not found? 404? page not found? I cannot seem to find a sample not found page.

Kururu Sumeragi · Answer 2 · Sat Nov 10 2018 21:20:11 GMT+0800 (China Standard Time)

yes. it say "page not found"

@bluedangerforyou David Enos · Answer 3 · Sun Nov 11 2018 01:57:26 GMT+0800 (China Standard Time)

Thank you.

marcelo321 · Answer 4 · Fri May 01 2020 11:41:18 GMT+0800 (China Standard Time)

@linuxsec Hey, how does the cname look like? and the fingerprint only says "page not found"?

Aditya Thebe · Answer 5 · Thu May 07 2020 00:53:30 GMT+0800 (China Standard Time)

What is the impact of this takeover ?

Aditya Thebe · Answer 6 · Thu May 07 2020 03:02:15 GMT+0800 (China Standard Time)

There's nothing much we can do by setting up a "Public Status Page" in uptimerobot

bsysop · Answer 7 · Thu May 07 2020 23:14:35 GMT+0800 (China Standard Time)

Take a look in the impact

IMPACT: High 7~8.9
BOUNTY: 100 $

😂

Just for Phishing i guess.

Aditya Thebe · Answer 8 · Thu May 07 2020 23:21:58 GMT+0800 (China Standard Time)

Just for Phishing i guess.

Not sure how we can do phishing either since we have absolute no control over the uptimerobot subdomain.

Sorry if I am not understanding correctly

bsysop · Answer 9 · Thu May 07 2020 23:25:37 GMT+0800 (China Standard Time)

I mean:

Bug hunter: This is 100% useless for a Bug Hunter, just find, takeover and report.
BlackHat: BlackHat can takeover that domain and configure some content and try to trick someone to believe in the attacker words and perform a "Phishing attack"

Not means a bug hunter will do a phishing attack of course.

Aditya Thebe · Answer 10 · Thu May 07 2020 23:33:36 GMT+0800 (China Standard Time)

I meant to say it's not possible to perform a phishing attack even for a malicious user.

Even if a subdomain abc.example.com that is pointing to stats.uptimerobot.com is vulnerable to takeover then all an attacker can do is register abc.example.com in uptimerrobot. But that's just it. Visiting the subdomain will show the stats of some site (the attacker has the freedom to choose which site) but there's nothing much one can do beyond that.

bsysop · Answer 11 · Thu May 07 2020 23:52:33 GMT+0800 (China Standard Time)

That example show everything UP, right? lets say you properly set a server DOWN just to TRICK (LIE) the company... now you have convinced some staff they have a server down, so now you have a person in panic in the other side, now you can try use that in your favour to do something you need, like click in other poisoned link, or something.

Again, its not something impactful i tried to say its only what an blackhat attacker can do, which in BugBounty it means nothing.

sumgr0 · Answer 12 · Fri May 08 2020 01:53:33 GMT+0800 (China Standard Time)

The service is similar to statuspage.io and may not be considered impactful.

Joker-cyber369 · Answer 13 · Wed Jun 02 2021 22:49:00 GMT+0800 (China Standard Time)

I have a message like
404 PAGE NOT FOUND
on a website how can I take over that subdomain

Sayan Chakraborty · Answer 14 · Sat Feb 04 2023 01:04:54 GMT+0800 (China Standard Time)

I got a 404 page and did not find how to take over the page.

Sayan Chakraborty · Answer 15 · Mon Feb 13 2023 19:26:15 GMT+0800 (China Standard Time)

Can anyone help me that do I have to buy premium for the custom domain?

Ye-Yint-Htet-T · Answer 16 · Mon May 08 2023 03:36:06 GMT+0800 (China Standard Time)

Hello

this is need premium account ?? add for custom domain