$100 under 1 hour: Subdomain takeover via firstpromoter.com

3 min readAug 31


Exploiting subdomain takeover via firstpromoter, is Affiliate and referral tracking for SaaS.


I am Hasyim, Founder of VulnShot.com (Vulnerability Management From Nuclei CLI)

Why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More


I have prepared a target list to find which subdomain has the cname “proxy.firstpromoter.com” as for the command, I only use the httpx tool.

root@kresec:~# cat randomlist |httpx -silent -cname -sc -title -mc 404
https://affiliate.redacted.com [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://reff.redacted.io [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://join.redacted.ai [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
https://m.redacted.net [404] [The page you were looking for doesn't exist (404)] [proxy.firstpromoter.com]
root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN CNAME proxy.firstpromoter.com.
proxy.firstpromoter.com. 0 IN CNAME fpr-8909.c66.me.
Image 2. if vuln

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Title & Body : The page you were looking for doesn’t exist (404)
— Status code : 404
— Connected to this cname : proxy.firstpromoter.com

How to Custom domain

Well, besides you can see directly how to custom domain from the official article https://help.firstpromoter.com/en/articles/1585730-how-to-use-your-own-domain-for-the-promoter-dashboard-and-sign-up-page, or you can follow my explanation below :

After you successfully create an account, it will be directed to a subdomain under the root domain of firstpromoter. then to change to vulnerable target sub domain you can use this link https://redacted.firstpromoter.com/settings. See image 3.

Image 3. Add domain.

Then you can use the “Getting Started” menu to create a campaign and customize its appearance.

Image 4. Custom Page

Successful takeover

Finally, the subdomain should look like Image 5 below once it has been successfully taken over.

Image 5. Successful takeover

Time to report

Yes, after finding it in one of the targets I immediately reported it. In less than 1 hour they replied that the report was valid and asked for a PayPal account. and yes they gave me $100

Image 6. Receive bounties


Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community




Random post about web security & Ngoding