Twitter : Mopub.com Subdomain Takeover
Hello everyone out there ! Today i'll show you how my friend and me tookover sub-domain of http://mopub.com a property of twitter ☺
So how sub-domain takeover work ?
If we talk in simple words it happen when domain manager point Subdomain to an external server but forget to claim on external service or expire of account in this case any one can claim it and place content on it 😮.
My friend got good skills in dorking so apart from wordlist sub domain bruter he started qith his dorking and got a sub domaim http://web.mopub.com which was pointing to DYN servers (It is service to redirect and DNS manager like features)
And then i tried to claim it via trial but DYN not accepting Indian credit card, i tested im another account of DYN then it given me an error which means domain already claim this is beacause i added it to my cart, That clearly means that they don't claimed that subdomain (I was already pretty sure with error on Subdomain but i confirmed it ) Now i reported it on theory based report but twitter keep saying Need more info but after a clear theory explanation ans cart PoC they finally triaged😇.
But the main part start here i removed Subdomain from my DYN account and someone claimed it with US card #_#
😤😤😤 Now i have PoC also :-) i given this to twitter ( Bounty already rewarded )
They patched it by removing DYN entries.
My Tip to all newbie, Not always XSS and pre defined you will get. You should have an eye on what going around your target.
Thanks to that guy who claimed it 😂😆
"My Friend" = Rudra Pratap Singh
Bug Timeline
28 Feb 2016 -- Bug found and Reported
29 Feb 2016 -- Need more information
29 Feb 2016 -- More info send by friend
01 Mar 2016 -- Need more information
01 Mar 2016 -- More information sent by me
02 Mar 2016 -- Triaged
05 Mar 2016 -- 280$ Bounty rewarded
10 Mar 2016 -- Issue Resolved
So how sub-domain takeover work ?
If we talk in simple words it happen when domain manager point Subdomain to an external server but forget to claim on external service or expire of account in this case any one can claim it and place content on it 😮.
My friend got good skills in dorking so apart from wordlist sub domain bruter he started qith his dorking and got a sub domaim http://web.mopub.com which was pointing to DYN servers (It is service to redirect and DNS manager like features)
And then i tried to claim it via trial but DYN not accepting Indian credit card, i tested im another account of DYN then it given me an error which means domain already claim this is beacause i added it to my cart, That clearly means that they don't claimed that subdomain (I was already pretty sure with error on Subdomain but i confirmed it ) Now i reported it on theory based report but twitter keep saying Need more info but after a clear theory explanation ans cart PoC they finally triaged😇.
But the main part start here i removed Subdomain from my DYN account and someone claimed it with US card #_#
😤😤😤 Now i have PoC also :-) i given this to twitter ( Bounty already rewarded )
They patched it by removing DYN entries.
My Tip to all newbie, Not always XSS and pre defined you will get. You should have an eye on what going around your target.
Thanks to that guy who claimed it 😂😆
"My Friend" = Rudra Pratap Singh
Bug Timeline
28 Feb 2016 -- Bug found and Reported
29 Feb 2016 -- Need more information
29 Feb 2016 -- More info send by friend
01 Mar 2016 -- Need more information
01 Mar 2016 -- More information sent by me
02 Mar 2016 -- Triaged
05 Mar 2016 -- 280$ Bounty rewarded
10 Mar 2016 -- Issue Resolved
Twitter : Mopub.com Subdomain Takeover
Reviewed by Unknown
on
18:15
Rating: 5
Reviewed by Unknown
on
18:15
Rating: 5
