API DOCS takeover on Readme.io
Oktavandi
i've been invited in some private bugbounty program on bugcrowd platform and the scope is limited, i mean no wildcard subdomain allowed for submission report but if found something-something good, " Just reach out to support@bugcrowd.com " - Policy
Okay ! , that's quote of the day :)
Step by Step
First, i use Sudomy for domain enumeration
https://github.com/Screetsec/Sudomy
After the enumeration's finished i looked on results both of Http/Https ports was vulnerable to subdomain takeover on 3rdparty which is "Readme.io"
but first, let me take a selfie
$ dig beta-developer.redacted.com CNAME ;;ANSWER SECTION: beta-developer.redacted.com 213 IN CNAME redacted-company.readme.io. redacted-company.readme.io. 28 IN CNAME cname.readmessl.com. cname.readmessl.com. 208 IN A 104.18.211.56 cname.readmessl.com. 208 IN A 104.18.211.56
- I created account on readme.io
- create some project and go to https://dash.readme.io/project/<redacted_projects>/v1.0/domains
- then fill custom domain form and click Save Button !
And boom !
Reference
https://github.com/EdOverflow/can-i-take-over-xyz/issues/72