Unbounce is not vulnerable for subdomain takeover. #11
Comments
|
Going through the hackerone report it seems that this instance of subdomain takeover was indeed an exploitation of a vulnerability on the Unbounce services. In the same report, both parties (researcher and Unbounce security team) confirm that the Unbounce vulnerability has been fixed. |
|
@edeirme , subdomain takeover with Unbounce is still possible. I confirmed this right now by creating a domain and then setting its CNAME to unbouncepages.com. This is what Unbounce asks its user to do. If you have a domain that is pointed to unbouncepages.com but does not look claimed, you can create a user account, add a PayPal or Credit Card and then add a custom domain. Once the custom domain is added and you publish a page, it should display the content in that domain. |
|
@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..! |
|
I think the main issue is the fact that we reference https://hackerone.com/reports/202767 in the Unbounce section which, as @smiegles pointed out, is not accurate and can no longer be exploited. We should remove that reference. Thank you for raising an issue, @smiegles. |
|
Are you sure the takeover is still possible?
|
|
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com Any idea how we can now |
|
I don't think we can if someone has an unbounce account I can give you a link to test |
|
@rosonsec @d55pak, Last I checked it was still possible. There might be some edge cases though for example, when I tested, I simply pointed my domain to Unbounces CNAME and see if it was vulnerable. In your case it seems like the domain was being used activity before and then removed from Unbounce. Unbounce might be blocking takeover on those types of domains but I am not sure yet. I will look into this further and update the ticket. |
|
@rojan-rijal if you DM me on Twitter I can give you a previously used domain that is still pointing to a unbounce CNAME |
👍 |
|
Sorry, I have been extremely busy lately and have not had a chance to update the project. We determined that there is only one rare case where one can hijack a subdomain pointing to Unbounce and that is if the team never had a project in the first place. The likelihood of this being the case is so minute that I personally do not think we should claim that it is possible to hijack subdomains pointing towards Unbounce. Thank you to everyone who participated in this discussions here; it is an absolute pleasure seeing everyone working together like this. :) |
|
Hey there, I was reading this thread and seems pretty interesting. Which is a subdomain takeover? A subdomain takeover is posible when the attacker can claim an unclaimed domain name through an alias or canonical name (cname) pointing to unbouncepages.com.
*The 3rd options is still available and works: so YES, unbouncepages is Vulnerable to Subdomain Takeover. regards, |
EdOverflow
added
edge case
|
@EdOverflow @codingo Takeover via Unbounce is still |
|
;) |
|
@ak1t4 They mentioned here this is |
|
That awkward moment when you realise that you have left the target's hostname in the tab bar. :P |
|
@EdOverflow By mistake :-D but its fixed now and didn't Pay. |
|
hahahaahah!!! |
|
Hi, |
|
No bro there is an old Subdomains connected to |
|
Hi @Vishnugadupudi as @ak1t4 said :
info.hacker.one is already in use and already has pages example :
So not possible to takeover it . Kind Regards, |
|
@m7mdharoun :) |
|
hello.guys. |
I just tried today and it fails .... |
|
can you bypass Unbounce's control by doing an NSLOOKUP and using the alias associated with the domain that Unbounce has blocked? |
|
so Unbounce not a vuln ? |
|
It's vulnerable? |
|
no bro |
|
is it still working ? |
|
Does this still work, anyone ? |
no |
|
|
I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022). |
Hello, can you tell me the tool name I also have the same problem with this .Please |
|
Thank you
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Sayan Chakraborty ***@***.***>
Sent: Friday, January 20, 2023 9:14:44 AM
To: EdOverflow/can-i-take-over-xyz ***@***.***>
Cc: fsocietyxzy ***@***.***>; Comment ***@***.***>
Subject: Re: [EdOverflow/can-i-take-over-xyz] Unbounce is not vulnerable for subdomain takeover. (#11)
Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this
Non-authoritative answer:
Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.196.95.178
Name: unbouncepages.com
Address: 54.93.101.65
Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :
Non-authoritative answer:
Sub.Domain.com canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.195.98.178
Name: unbouncepages.com
Address: 54.93.101.
it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Hello, can you tell me the tool name I also have the same problem with this .Please
—
Reply to this email directly, view it on GitHub<#11 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A47PWBTRDZNJYB5GMI7JGCLWTIUNJANCNFSM4EX2LSXA>.
You are receiving this because you commented.Message ID: ***@***.***>
|
which command i can use to check this ? |
|
dig subdomain.domain.com |
how you bypass the domain error? |
this is the same error I am facing, anybody knows if it is still possible to bypass it and take over? |
There was no error, for me at least. I guess it was pure luck, I guess? |
maybe, good for you. |
Hi, is there any special indication other than cname, for example from the protocol whether SSL is available, error or not? |
|
still vulnerable ? |
Unfortunately not possible. |
|
It's still vulnerable but only as a rare edge case, I exploited a valid one a few days ago - see Stratus-Security/Subdominator#1 (comment) |
|
Hello @coj337 I recently saw on Unbounce account giving an 404 Status code. Could you please help me confirm if its vulnerable for subdomain takeover with your account? I don't have funds to purchase one. Thank you very much sir. |
|
If it is, then well share the outcome. |
|
I was able to add a domain but it says "Error Finding CNAME" How can i resolve this anyone? |
|
Hello, even after when you add your domain, It is not vulnerable. |
|
Not true. If you manage to add a custom domain then there's a complete subdomain take over. |
Yeah i think so, it's possible, The domain was pointing at a random ip address while using dig command and when i can subzy it was vulnerable to unbounce subdomain takeover and also when i claimed the subdomain it got claimed but after that it was asking for a cname to go live i guess. So, if anyone knows how to do that please help |
|
Ok. No challenge. |
and others
The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.
https://github.com/EdOverflow/can-i-take-over-xyz#unbounce
The text was updated successfully, but these errors were encountered: