How I found my first Subdomain Takeover vulnerability

About the vulnerability

Finding your very first vulnerability as a newbie security researcher can be really intimidating and can easily burn you out especially when you don’t know where to start from. Read on to know how I managed to find a Subdomain Takeover vulnerability and how I was able to leverage that into a CSRF attack with the ability to takeover the victim’s account

The Recon

The first step involved in the Recon was enumerating all the subdomains within the master domain under the scope, you always want to check if the program allows a wildcard domain name, only then subdomain takeovers are treated as a valid report, for example a program should contain .example.com. That being said a few programs may still accept your submission, so always do try your luck with it.

Leveraging the takeover to a CSRF attack:

We had now taken over this subdomain, whats next? If you had to go and report this right away to the company, there are high chances your report will be marked as a Low severity due to lack of loss of any kind of confidentiality, instead you now you think like the attacker, about how would an attacker leverage this to his benefit and takeover your account?

Impact Of Subdomain Takeover:

1. Representing company in various wrong ways

Developer by day, Hacker by night