Exploiting subdomain takeover via firstpromoter, is Affiliate and referral tracking for SaaS.
I am Hasyim, Founder of VulnShot.com (Vulnerability Management From Nuclei CLI)
Why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More
I have prepared a target list to find which subdomain has the cname “proxy.firstpromoter.com” as for the command, I only use the httpx tool.
root@kresec:~# cat randomlist |httpx -silent -cname -sc -title -mc 404
https://affiliate.redacted.com  [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://reff.redacted.io  [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://join.redacted.ai  [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://m.redacted.net  [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN CNAME proxy.firstpromoter.com.
proxy.firstpromoter.com. 0 IN CNAME fpr-8909.c66.me.
With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Title & Body : The page you were looking for doesn’t exist (404)
— Status code : 404
— Connected to this cname : proxy.firstpromoter.com
How to Custom domain
Well, besides you can see directly how to custom domain from the official article https://help.firstpromoter.com/en/articles/1585730-how-to-use-your-own-domain-for-the-promoter-dashboard-and-sign-up-page, or you can follow my explanation below :
After you successfully create an account, it will be directed to a subdomain under the root domain of firstpromoter. then to change to vulnerable target sub domain you can use this link https://redacted.firstpromoter.com/settings. See image 3.
Then you can use the “Getting Started” menu to create a campaign and customize its appearance.
Finally, the subdomain should look like Image 5 below once it has been successfully taken over.
Time to report
Yes, after finding it in one of the targets I immediately reported it. In less than 1 hour they replied that the report was valid and asked for a PayPal account. and yes they gave me $100
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community