[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getresponse.com vulnerable to subdomain takeover #235

Open
darkpills opened this issue Aug 30, 2021 · 10 comments
Open

Getresponse.com vulnerable to subdomain takeover #235

darkpills opened this issue Aug 30, 2021 · 10 comments

Comments

@darkpills
Copy link

Service name

GetResponse - https://www.getresponse.com/

Vulnerable domain which can be takeover

image

Fingerprint: "Cette landing page n'est plus disponible" (FR)

Steps to takeover

  1. Register an account on https://www.getresponse.com/
  2. Create a new domain : My Account > Manage account > Landing page domain > Add domain: declare the victim subdomain to takeover: sub.victim.com
  3. Do a "dig sub.victim.com" to get the CNAME. There should be a CNAME for any of the getresponse tool domains: gr8.com, subscribemenow.com, getresponsepages.com
  4. Create a new landing page that will be displayed. In the Edit settings > landging page url settings > put the subdomain you saw previously like: test.gr8.com to make your landing page response to the sub.victim.com
@darkpills darkpills changed the title Getresponse.coom vulnerable to subdomain takeover Getresponse.com vulnerable to subdomain takeover Sep 28, 2021
@TheElgo64
Copy link

Hmmm, not vulnerable now.
30/12/2021

@darkpills
Copy link
Author

I remember I could not make the association between the vulnerable domain with the admin interface, I had to open a ticket to the support to make them associate the domain even if it is not associated with any customer.

@GDATTACKER-RESEARCHER
Copy link

working i have tested

@lovepentest
Copy link

Not working now

@VictimV59
Copy link

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

@GDATTACKER-RESEARCHER
Copy link

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

It simply means it's already claimed by org or someone but the default page is not changed.

@VictimV59
Copy link

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

@GDATTACKER-RESEARCHER
Copy link

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

Yes

@VictimV59
Copy link

Thanks for explaining😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants
@darkpills @GDATTACKER-RESEARCHER @lovepentest @TheElgo64 @VictimV59 and others