Skip to content

Subdomain takeover via LaunchRock #74

New issue
New issue
Open
Open
Subdomain takeover via LaunchRock#74
Labels
vulnerableSomeone has provided proof in the issue ticket that one can hijack subdomains on this service.
@ghost

Description

@ghost
ghost
opened on Jan 11, 2019

Service name

LaunchRock offers service to create marketing pages.

Proof

I was able to perform subdomain takeover in the private program on H1. The POC costed me a 9$ to buy the Premium plan on service (adding custom subdomain is available only on Premium plan). The issue was confirmed, fixed, and rewarded.

Documentation

String to determine subdomain takeover:

It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us.

The vulnerable subdomain can be pointed to the LaunchRock via CNAME (example.launchrock.com) or via next A records:

54.243.190.28
54.243.190.39
54.243.190.47
54.243.190.54

If above conditions are met, we can perform subdomain takeover by adding a vulnerable subdomain as LaunchRock custom domain in the control panel

Ability to inject custom JS

Yes, we can add arbitrary Javascript through control panel.

Last checked date

Dec 2018

Metadata

Metadata

Assignees

No one assigned

    Labels

    vulnerableSomeone has provided proof in the issue ticket that one can hijack subdomains on this service.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions