Unbounce is not vulnerable for subdomain takeover.
smiegles opened this issue Β· 83 comments
The attacker here used an un-ethical way to exploit Unbounce which is resolved now as far as I believe.
Going through the hackerone report it seems that this instance of subdomain takeover was indeed an exploitation of a vulnerability on the Unbounce services. In the same report, both parties (researcher and Unbounce security team) confirm that the Unbounce vulnerability has been fixed.
Unless there is another instance of subdomain takeover for Unbounce I'll agree with @smiegles that Unbounce's entry is a false-positive.
@edeirme , subdomain takeover with Unbounce is still possible. I confirmed this right now by creating a domain and then setting its CNAME to unbouncepages.com. This is what Unbounce asks its user to do. If you have a domain that is pointed to unbouncepages.com but does not look claimed, you can create a user account, add a PayPal or Credit Card and then add a custom domain. Once the custom domain is added and you publish a page, it should display the content in that domain.
@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..!
π
I think the main issue is the fact that we reference https://hackerone.com/reports/202767 in the Unbounce section which, as @smiegles pointed out, is not accurate and can no longer be exploited. We should remove that reference. Thank you for raising an issue, @smiegles.
Are you sure the takeover is still possible?
I am getting this error message when I try to "Add a New Custom Domain":
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com
Any idea how we can now
I don't think we can if someone has an unbounce account I can give you a link to test
@rosonsec @d55pak, Last I checked it was still possible. There might be some edge cases though for example, when I tested, I simply pointed my domain to Unbounces CNAME and see if it was vulnerable. In your case it seems like the domain was being used activity before and then removed from Unbounce. Unbounce might be blocking takeover on those types of domains but I am not sure yet. I will look into this further and update the ticket.
Cheers!
@rojan-rijal if you DM me on Twitter I can give you a previously used domain that is still pointing to a unbounce CNAME
- I have tried to takeover 10 subdomains which has following Fingerprint
The requested URL was not found on this server.
Results of 10 subdomains are either:
Domain is already in use.
( or )
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.
- Looks like unbounce preventing us from takeovers which they have used their service previously.
π
Sorry, I have been extremely busy lately and have not had a chance to update the project. We determined that there is only one rare case where one can hijack a subdomain pointing to Unbounce and that is if the team never had a project in the first place. The likelihood of this being the case is so minute that I personally do not think we should claim that it is possible to hijack subdomains pointing towards Unbounce. Thank you to everyone who participated in this discussions here; it is an absolute pleasure seeing everyone working together like this. :)
Hey there, I was reading this thread and seems pretty interesting. Which is a subdomain takeover?
A subdomain takeover is posible when the attacker can claim an unclaimed domain name through an alias or canonical name (cname) pointing to unbouncepages.com.
Some 3rd party services put filters to avoid this, like adding a random TXT record or hash or others methods to force and secure the DNS entries as unique per customer, which is NOT the case of unbouncepages.
An attacker can claim a domain not claimed over unbouncepages.com. So, We have 3 scenarios when we want takeover a subdomain over unbounce:
- 'Domain is already in use' (which means that the domain is claimed)
- 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.]
- Claim the domain (no errors: the domain is added to domains section correctly)
*The 3rd options is still available and works: so YES, unbouncepages is Vulnerable to Subdomain Takeover.
regards,
@ak1t4
@EdOverflow @codingo Takeover via Unbounce is still Vulnerable as @ak1t4 said there is 3 cases .. I do a takeover last week and my friend do 1 takeover from unbounce less than month ago
;)
@ak1t4 They mentioned here this is Edge Case and in the main status Not vulnerable ..
This Poc belong to the duplicate report which got duplicate after traiged and fixed :-(
That awkward moment when you realise that you have left the target's hostname in the tab bar. :P
@EdOverflow By mistake :-D
but its fixed now and didn't Pay.
hahahaahah!!!
Hi,
where I can find vulnerable domain sites because I tried for many one but not get it to perform subdomain takeover. Even search in google dork.
No bro there is an old Subdomains connected to Unbounce Services so Unbounce takeover is still exist.
Hi @Vishnugadupudi as @ak1t4 said :
We have 3 scenarios when we want takeover a subdomain over unbounce:
- 'Domain is already in use' (which means that the domain is claimed)
- 'Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.' (Which means that the domain is NOT actually claimed or used but unbounce detect that the domain was used in the pass) [they put this filter as intent to avoid takeovers.]
- Claim the domain (no errors: the domain is added to domains section correctly)
info.hacker.one is already in use and already has pages example :
https://info.hacker.one/the-data-protection-officer/
https://info.hacker.one/2018-hacker-report/
This mean
case (1)
Domain is already in use' (which means that the domain is claimed)
So not possible to takeover it .
Kind Regards,
Mohamed Haron.
@m7mdharoun :)
hello.guys.
takeover is still possible???
hello.guys.
takeover is still possible???
I just tried today and it fails ....
yup.me too.seems it needs a bit of luck.
You can found Steps here and This is still vulnerable
- I have tried to takeover 10 subdomains which has following Fingerprint
The requested URL was not found on this server.Results of 10 subdomains are either:
Domain is already in use.
( or )
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.
- Looks like unbounce preventing us from takeovers which they have used their service previously.
π
exactly same errors
- I have tried to takeover 10 subdomains which has following Fingerprint
The requested URL was not found on this server.Results of 10 subdomains are either:
Domain is already in use.
( or )
Looks like this domain has been deleted, to be able to use it again we need to verify its ownership for security purposes. Please contact our team at support@unbounce.com.
- Looks like unbounce preventing us from takeovers which they have used their service previously.
π
exactly same errors
You Just need Good Luck to find it but it still work ;)
thanks for the confirmation
I just test it 3 minutes ago, it will need a little bit of social engineering to verify the deleted subdomain.
chat help:
verify the ownership by adding a txt record.
@X-shadowt
how to do verification for deleted subdomain?
Can you please confirm which Unbounce account this domain is going to be added to? Thanks so much!
Here's how to add the record:
Login to your Domain provider's system and navigate to the DNS setup.
Create a new DNS record.
The record type will be TXT.
The host name can be left blank.
The text (or content, or value) should be "unbounce=357292β "
Save the changes.
Send me a reply once that's been done, I'll confirm everything, and we'll get finished up with verifying your domain!```
this is how you can do it@X-shadowt how you added dns record :P
I noticed that social engineering was mentioned here. Social engineering is not acceptable when participating in bug bounty programs (unless stated), nor is it acceptable in any case. I'd suggest NOT social engineering the friendly team at Unbounce to bypass their verification steps. You may end up in legal trouble and for what? A bounty? Not worth it. If you feel that unbounces methods for proving you own a domain are not adequate and you can 'bypass' them, i'd send them a message to politely let them know. Work with them, not against them :)
Stay safe everyone. <3
Thank you very much @zseano for pointing this out for the community!
At Unbounce safekeeping our customers and their information within our ecosystem is of utmost importance.
We believe in the mantra that no environment is 100% secure, and that upholding information security is an iterative effort and a process of continuous improvement.
Aside from our own internal resources we also partner with third party security researchers and firms to perform approved and prescheduled external vulnerability scans and penetration tests against our environment.
We would like to stress that our Acceptable Use Policy (which is part of our Terms of Service), as well as those of our infrastructure hosting provider's, prohibit users, customers, and third parties from performing unapproved vulnerability tests/scans against our platform.
Currently, we do not have a formal bug bounty program in the traditional sense with monetary rewards; but it is something we are considering as we appreciate the work of security researchers like yourself.
As such, and in the absence of a bug bounty program, we deem all unapproved tests/scans as unauthorized activities.
With that said, we completely support, and see the value in, sharing findings/PoCs online to educate others. However, in the event that you had unknowingly performed a test/scan against our platform, we ask that you remain committed to an ethical methodology in your approach.
To this end, we ask that you report your findings to security@unbounce.com first, and that you kindly refrain from sharing your results externally until our engineers have had the time to assess what you have reported.
Thank you all very much.
Please stay healthy and safe!
Hello
I found subdomain which is saying - The requested URL was not found on this server.
I check the cname for that subdomain, but i didn't found any cname .
Than i try to add this subdomain on unbounce . Its takes all the thing but when processing its still on configuration saying "Hang in thereβweβre processing your domain!"
what should i do now
@foysal1197 I got the same response - The requested URL was not found on this server.
May I report it?
@foysal1197 I got the same response - The requested URL was not found on this server.
May I report it?
Sure No don't report until , you must be sure that you takeover this subdomain.
let's Take a small example :
Hackerone has subdomain called info.hacker.one This subdomain show you error The requested URL was not found on this server.
visit https://info.hacker.one/
But it works well in paths example :
visit https://info.hacker.one/2018-hacker-report/
Kind Regrads,
Mohamed Haron.
@Bplotka @foysal1197 Did you ever manage to perform subdomain takeover for Unbounce? I don't think it will be possible now until you interact with the unbounce team, as per the link here: https://documentation.unbounce.com/hc/en-us/articles/360000851786
Hi @m7mdharoun I still have the same error The requested URL was not found on this server.
how can i exploit it?
not vulnerable
Is it still possible in 2020 to takeover subdomain in unbounce.com with this "The requested URL was not found on this server." error?
Anyone ??
@AyushMayank no it's not bro
@X-shadowt yah I was thinking that too... thanks
Hello ,
I just test 3 subdomains with 404 Error Via Unbounce .
i noticed that the Subdomain With CName Record Like this
Non-authoritative answer:
Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com.
1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.196.95.178
Name: unbouncepages.com
Address: 54.93.101.65
Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :
Non-authoritative answer:
Sub.Domain.com canonical name = unbouncepages.com.
Name: unbouncepages.com
Address: 18.195.98.178
Name: unbouncepages.com
Address: 54.93.101.
it is 100% Vulnerable For Takeover And Congrats about the bounty π―
Hello ,
I just test 3 subdomains with 404 Error Via Unbounce .
i noticed that the Subdomain With CName Record Like thisNon-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :
Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Are you sure ?
Found a case just like you said and this is what I got
Hello ,
I just test 3 subdomains with 404 Error Via Unbounce .
i noticed that the Subdomain With CName Record Like thisNon-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Are you sure ?
Found a case just like you said and this is what I got
@pdelteil ur perfectly right, while i was testing for takeovers i encountered the same issue
if the subdomain is pointed this way then its 100% not a subdomain takeover
and i tried to claim it:) this was the result!
all the best
by any chance it is possible to take over this subdomain .. i dont want to register my credit card to create an account and try
No i think it 's not possible to claim it .
is takeover possible here
can you bypass Unbounce's control by doing an NSLOOKUP and using the alias associated with the domain that Unbounce has blocked?
so Unbounce not a vuln ?
It's vulnerable?
no bro
is it still working ?
Does this still work, anyone ?
Does this still work, anyone ?
no
@rojan-rijal ur totally right .. last night i reported a subdomain takover and it was using unbounce. The sec team triaged it asap ..! π
how you exploited i mean how takeover
I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).
Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this
Non-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :
Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Hello, can you tell me the tool name I also have the same problem with this .Please
it is 100% Vulnerable For Takeover And Congrats about the bounty 100
which command i can use to check this ?
dig subdomain.domain.com
I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).
how you bypass the domain error?
Hello ,
I just test 3 subdomains with 404 Error Via Unbounce .
i noticed that the Subdomain With CName Record Like thisNon-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Are you sure ?
Found a case just like you said and this is what I got
this is the same error I am facing, anybody knows if it is still possible to bypass it and take over?
I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).
how you bypass the domain error?
There was no error, for me at least. I guess it was pure luck, I guess?
I confirm that Unbounce is still vulnerable to subdomain takeovers since I successfully took over a subdomain 17 days ago (23 December 2022).
how you bypass the domain error?
There was no error, for me at least. I guess it was pure luck, I guess?
maybe, good for you.
What about the txt record entry thing mentioned above, aren't we need to have access to the target's root domain for this?
btw I just contacted the support team and they also provide me with an entry to add as Txt record, can I add this in any domain I owned?
Hello , I just test 3 subdomains with 404 Error Via Unbounce . i noticed that the Subdomain With CName Record Like this
Non-authoritative answer: Sub.Domain.com canonical name = 1b450602efa347e0ac14sadwa8be95d.unbouncepages.com. 1b450602efa347e0ac14c4fb0a8be95d.unbouncepages.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.196.95.178 Name: unbouncepages.com Address: 54.93.101.65Is 100% Not Vulnerable And You Can't Claim it .
But if the Cname Record Was Like this :Non-authoritative answer: Sub.Domain.com canonical name = unbouncepages.com. Name: unbouncepages.com Address: 18.195.98.178 Name: unbouncepages.com Address: 54.93.101.it is 100% Vulnerable For Takeover And Congrats about the bounty 100
Hello, can you tell me the tool name I also have the same problem with this .Please
Yes you are right
Hi, is there any special indication other than cname, for example from the protocol whether SSL is available, error or not?
still vulnerable ?
still vulnerable ?
Unfortunately not possible.
It's still vulnerable but only as a rare edge case, I exploited a valid one a few days ago - see Stratus-Security/Subdominator#1 (comment)
Hello @coj337 I recently saw on Unbounce account giving an 404 Status code. Could you please help me confirm if its vulnerable for subdomain takeover with your account? I don't have funds to purchase one. Thank you very much sir.
If it is, then well share the outcome.
Am a bug bounty hunter by the way :)
I was able to add a domain but it says "Error Finding CNAME" How can i resolve this anyone?
Hello, even after when you add your domain, It is not vulnerable.
Just shift your attention to something else.
Not true.
If you manage to add a custom domain then there's a complete subdomain take over.
Not true.
If you manage to add a custom domain then there's a complete subdomain take over.
Yeah i think so, it's possible, The domain was pointing at a random ip address while using dig command and when i can subzy it was vulnerable to unbounce subdomain takeover and also when i claimed the subdomain it got claimed but after that it was asking for a cname to go live i guess. So, if anyone knows how to do that please help
Ok. No challenge.
I'll be glad to learn how you will do that.
Thanks and regards