API DOCS takeover on Readme.io

API DOCS takeover on Readme.io

Determine the issue

i've been invited in some private bugbounty program on bugcrowd platform and the scope is limited, i mean no wildcard subdomain allowed for submission report but if found something-something good, " Just reach out to support@bugcrowd.com " - Policy

Okay ! , that's quote of the day :)

Step by Step

First, i use Sudomy for domain enumeration


After the enumeration's finished i looked on results both of Http/Https ports was vulnerable to subdomain takeover on 3rdparty which is "Readme.io"

but first, let me take a selfie

$ dig beta-developer.redacted.com CNAME

beta-developer.redacted.com 213 IN CNAME redacted-company.readme.io.
redacted-company.readme.io. 28 IN CNAME cname.readmessl.com.
cname.readmessl.com. 208 IN A
cname.readmessl.com. 208 IN A

And boom !