can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard
verified publisher icon EdOverflow

Subdomain takeover via LaunchRock

Open ghost opened this issue 6 years ago • 3 comments

Service name

LaunchRock offers service to create marketing pages.

Proof

I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.

Documentation

String to determine subdomain takeover:

It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.

The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:

54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54

If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel

Ability to inject custom JS

Yes, we can add arbitrary Javascript through control panel.

Last checked date

Dec 2018

ghost avatar Jan 11 '19 18:01 ghost

The fingerprint for this appears to have changed. Unclaimed subdomains now respond with an HTTP 500.

TheTechromancer avatar Feb 10 '23 15:02 TheTechromancer

Hello @TheTechromancer , is it still vulnerable?

thepoorhacker avatar Apr 03 '24 13:04 thepoorhacker