can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Published 20 hours ago verified publisher icon EdOverflow

Subdomain Takeover via Branch

Open hussain0x3c opened this issue 4 years ago • 7 comments

Service name

Branch - https://branch.io

Proof

Screenshot 2021-02-19 230750

Screenshot 2021-02-19 224424

Steps to Reproduce

1 - Sign up in branch.io. 2 - After login in go to the configuration page. 3 - Set the vulnerable domain in the link domain. 4 - Create your link from the Universal Ads page.

Documentation

1- There's no proof page, but the subdomain redirects you to https://branch.io/what-is-applink/. 2- The subdomain is usually called app or SMS.

hussain0x3c avatar Feb 19 '21 20:02 hussain0x3c

Can you share the fingerprints for identification?

sumgr0 avatar Feb 24 '21 16:02 sumgr0

Can you share the fingerprints for identification?

share.vulnerable.com. 300 IN CNAME custom.bnc.lt. custom.bnc.lt. 3 IN A 52.52.224.167 custom.bnc.lt. 3 IN A 52.53.67.13 custom.bnc.lt. 3 IN A 52.52.150.189 custom.bnc.lt. 3 IN A 13.56.61.228 custom.bnc.lt. 3 IN A 13.57.114.155 custom.bnc.lt. 3 IN A 50.18.199.4 custom.bnc.lt. 3 IN A 52.8.236.92 custom.bnc.lt. 3 IN A 52.52.244.71

hussain0x3c avatar Feb 25 '21 08:02 hussain0x3c

Thanks...

Does it have an error fingerprint as well for the webpage or DNS records?

sumgr0 avatar Feb 25 '21 08:02 sumgr0

@sumgr0 No,

There's no proof page, but the subdomain redirects you to https://branch.io/what-is-applink/.

hussain0x3c avatar Feb 26 '21 06:02 hussain0x3c

Cool.. Thanks

sumgr0 avatar Feb 26 '21 07:02 sumgr0

@hussain0x3c i am having problem with last step that is no.4 create your link from the universal ads page. can you reach me on twitter https://twitter.com/ak_bruster

akbruster avatar Oct 25 '21 08:10 akbruster

sub.domain.com has final CNAME equal to thirdparty.bnc.lt., but it must be custom.bnc.lt.

achabi-ismail avatar Jan 08 '24 07:01 achabi-ismail