API DOCS takeover on Readme.ioOktavandi
i've been invited in some private bugbounty program on bugcrowd platform and the scope is limited, i mean no wildcard subdomain allowed for submission report but if found something-something good, " Just reach out to email@example.com " - Policy
Okay ! , that's quote of the day :)
Step by Step
First, i use Sudomy for domain enumeration
After the enumeration's finished i looked on results both of Http/Https ports was vulnerable to subdomain takeover on 3rdparty which is "Readme.io"
but first, let me take a selfie
$ dig beta-developer.redacted.com CNAME ;;ANSWER SECTION: beta-developer.redacted.com 213 IN CNAME redacted-company.readme.io. redacted-company.readme.io. 28 IN CNAME cname.readmessl.com. cname.readmessl.com. 208 IN A 18.104.22.168 cname.readmessl.com. 208 IN A 22.214.171.124
- I created account on readme.io
- create some project and go to https://dash.readme.io/project/<redacted_projects>/v1.0/domains
- then fill custom domain form and click Save Button !
And boom !