API DOCS takeover on Readme.io

API DOCS takeover on Readme.io

Oktavandi
Determine the issue

i've been invited in some private bugbounty program on bugcrowd platform and the scope is limited, i mean no wildcard subdomain allowed for submission report but if found something-something good, " Just reach out to support@bugcrowd.com " - Policy

Okay ! , that's quote of the day :)

Step by Step

First, i use Sudomy for domain enumeration

https://github.com/Screetsec/Sudomy

After the enumeration's finished i looked on results both of Http/Https ports was vulnerable to subdomain takeover on 3rdparty which is "Readme.io"

but first, let me take a selfie

$ dig beta-developer.redacted.com CNAME

;;ANSWER SECTION:
beta-developer.redacted.com 213 IN CNAME redacted-company.readme.io.
redacted-company.readme.io. 28 IN CNAME cname.readmessl.com.
cname.readmessl.com. 208 IN A 104.18.211.56
cname.readmessl.com. 208 IN A 104.18.211.56


And boom !



Reference

https://github.com/EdOverflow/can-i-take-over-xyz/issues/72