WordPress Subdomain Takeover on Bugcrowd Private Program

Hello guys👋👋, Prajit here from the BUG XS Team, recently I got a valid WordPress Subdomain Takeover on a Bugcrowd private program, in this write-up I will discuss how I found it. Hope you enjoy it 😉!

So before jumping directly into steps, let me give you a short gist of Subdomain Takeover for those who don’t know.

What is Subdomain Takeover?

Subdomain Takeovers are class of vulnerabilities in which the attackers can take control of an organization’s subdomain. This happens because of Misconfigured DNS.

In simple words, suppose you are a company developer, you were instructed to create a website (here a subdomain) for some event which is being organized. You created that website with the help of WordPress, hosted it with proper DNS configuration (of course without proper DNS configuration your website won’t be accessible on the internet), and it was up and running.

Now after the event was over, company instructed you to remove that website, since there is no use of that event page. You being a slacker, you just removed the subdomain and reported that “yes, now the website is down”. But the DNS is still not shut down, hence it is now pointing to a subdomain, which does not exist.

And this is where we attackers will strike. We will simply create a subdomain with the same name, and im many cases CNAME as that of the website the DNS records are pointing to. And voila!!, you took over a subdomain.

Now, even though the process is soo simple, why do most of the people find this vulnerability hard to test & find?

The main reason behind this is that, each and every service provider has different set of steps and methods for takeover, some might need the subdomain name, some might need the CNAME that subdomain is pointing to, completely depends on the service you are trying to takeover.

Good thing is that, there is an awesome repository which you can use as a reference for subdomain takeover for many different services.

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" - a list of services and how to…

I believe that on the core even if steps of takeover are different, the core concept of subdomain takeover remains same, let me list the steps here.

Core Steps of Subdomain Takeovers

1. Find a subdomain having status code 404 and having some service fingerprint. (Fingerprint here means a way that company declares that this website was hosted on their service) you can check different fingerprint list in the above shared repository to conclude which service that subdomain is hosted on.
2. If you are not so sure about fingerprint, you can also find CNAME of that subdomain, it may also reveal which service it is (For eg: for Freshwork powered subdomains it can be <anything>.myfreshworks.com )
3. Now once you know what service it is, gather all the info you require to takeover, make an account on the website of that service (For eg WordPress) and check for functionalities like “Connect a domain”, “Link to Existing Domain”, etc. (Names of these functionalities differ from service to service). Once you find these endpoints it will be clear that how the subdomain connection works, if it is with direct subdomain name you can use that if it is with the CNAME, then you can use following website to get the CNAME. https://mxtoolbox.com/CNAMELookup.aspx
4. Now if you have connected your target subdomain to the service from your account, you have complete control over that subdomain, hence Subdomain Takeover.

Now, I hope this information gave you proper insights on the flow of subdomain takeover vulnerabilities, now let us move to the steps of the vulnerability which I found:

WordPress Subdomain Takeover Steps:

1. The WordPress powered subdomain, let’s say blog.redacted.com has this kind of service fingerprint:

WordPress Service Fingerprint

2. Now go to your WordPress account on the url like https://wordpress.com/start/domains/use-your-domain

Connect Domain I own

3. Connect the subdomain blog.redacted.com by paying the fee.

Click on Connect Your Domain

Select Plan and Complete the Payment

4. You will see it is connected hence vulnerable. Now host any page you want on this subdomain.

Subdomain Takeover POC

Bounty Proof:

So this is all about this write-up, hope you liked it, if you found this informative, do not forget to clap👏 and do let me know if you have any doubts✌️. I am also planning a new series for a writeup which I will start soon, so stay tuned, and hit that follow button.

Thanks For Reading😊

Profile Links:

Twitter: https://twitter.com/SAPT01

LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/

Instagram: https://instagram.com/prajit_01?utm_medium=copy_link

BUG XS Official Website: https://www.bugxs.co/