$100 under 1 hour: Subdomain takeover via firstpromoter.com

Exploiting subdomain takeover via firstpromoter, is Affiliate and referral tracking for SaaS.

Why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More

Exploitation

I have prepared a target list to find which subdomain has the cname “proxy.firstpromoter.com” as for the command, I only use the httpx tool.

root@kresec:~# cat randomlist |httpx -silent -cname -sc -title -mc 404
https://affiliate.redacted.com [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://reff.redacted.io [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://join.redacted.ai [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://m.redacted.net [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]

root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN  CNAME   proxy.firstpromoter.com.
proxy.firstpromoter.com. 0      IN      CNAME   fpr-8909.c66.me.

Image 2. if vuln

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Title & Body : The page you were looking for doesn’t exist (404)
— Status code : 404
— Connected to this cname : proxy.firstpromoter.com

How to Custom domain

Well, besides you can see directly how to custom domain from the official article https://help.firstpromoter.com/en/articles/1585730-how-to-use-your-own-domain-for-the-promoter-dashboard-and-sign-up-page, or you can follow my explanation below :

After you successfully create an account, it will be directed to a subdomain under the root domain of firstpromoter. then to change to vulnerable target sub domain you can use this link https://redacted.firstpromoter.com/settings. See image 3.

Image 3. Add domain.

Then you can use the “Getting Started” menu to create a campaign and customize its appearance.

Image 4. Custom Page

Successful takeover

Finally, the subdomain should look like Image 5 below once it has been successfully taken over.

Image 5. Successful takeover

Time to report

Yes, after finding it in one of the targets I immediately reported it. In less than 1 hour they replied that the report was valid and asked for a PayPal account. and yes they gave me $100

Image 6. Receive bounties

Yeahh!

Thanks

Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/