can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard
verified publisher icon EdOverflow

Getresponse.com vulnerable to subdomain takeover

Open darkpills opened this issue 4 years ago • 10 comments

Service name

GetResponse - https://www.getresponse.com/

Vulnerable domain which can be takeover

image

Fingerprint: "Cette landing page n'est plus disponible" (FR)

Steps to takeover

  1. Register an account on https://www.getresponse.com/
  2. Create a new domain : My Account > Manage account > Landing page domain > Add domain: declare the victim subdomain to takeover: sub.victim.com
  3. Do a "dig sub.victim.com" to get the CNAME. There should be a CNAME for any of the getresponse tool domains: gr8.com, subscribemenow.com, getresponsepages.com
  4. Create a new landing page that will be displayed. In the Edit settings > landging page url settings > put the subdomain you saw previously like: test.gr8.com to make your landing page response to the sub.victim.com

darkpills avatar Aug 30 '21 09:08 darkpills

is it still vulnerable , because i tried this way and i was not able to takeover the subdomain .

youghi00715 avatar Oct 10 '21 09:10 youghi00715

Hmmm, not vulnerable now. 30/12/2021

TheElgo64 avatar Dec 30 '21 20:12 TheElgo64

I remember I could not make the association between the vulnerable domain with the admin interface, I had to open a ticket to the support to make them associate the domain even if it is not associated with any customer.

darkpills avatar Dec 31 '21 16:12 darkpills

working i have tested

GDATTACKER-RESEARCHER avatar Aug 02 '22 19:08 GDATTACKER-RESEARCHER

Not working now

lovepentest avatar Apr 06 '23 18:04 lovepentest

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

VictimV59 avatar Apr 12 '23 14:04 VictimV59

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

It simply means it's already claimed by org or someone but the default page is not changed.

GDATTACKER-RESEARCHER avatar Apr 12 '23 14:04 GDATTACKER-RESEARCHER

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

VictimV59 avatar Apr 12 '23 14:04 VictimV59

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

Yes

GDATTACKER-RESEARCHER avatar Apr 12 '23 14:04 GDATTACKER-RESEARCHER

Thanks for explaining😄

VictimV59 avatar Apr 12 '23 14:04 VictimV59