Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subdomain takeover via LaunchRock #74

Open
ghost opened this issue Jan 11, 2019 · 3 comments
Open

Subdomain takeover via LaunchRock #74

ghost opened this issue Jan 11, 2019 · 3 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@ghost
Copy link

ghost commented Jan 11, 2019

Service name

LaunchRock offers service to create marketing pages.

Proof

I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.

Documentation

String to determine subdomain takeover:

It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.

The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:

54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54

If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel

Ability to inject custom JS

Yes, we can add arbitrary Javascript through control panel.

Last checked date

Dec 2018

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Mar 2, 2019
@TheTechromancer
Copy link
Contributor

The fingerprint for this appears to have changed. Unclaimed subdomains now respond with an HTTP 500.

@thepoorhacker
Copy link

Hello @TheTechromancer ,
is it still vulnerable?

@ceylanb
Copy link

ceylanb commented Nov 28, 2024

The string mentioned in the first comment for detecting subdomain takeover is returned with 404, instead of 500.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests

4 participants