Exploiting subdomain takeover Ideanote, Ideanote is a new way to work with ideas. It’s faster, more efficient, and lets you build a fully customizable idea management flow from start to finish.
Why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More
Exploitation
I have prepared a target list to find which subdomain has the cname “custom-domain.ideanote.io” as for the command, I only use the httpx tool.
root@kresec:~# cat randomlist |httpx -silent -cname -sc -title -mc 200
https://ideas.redacted.com [200] [9950] [Ideas] [custom-domain.ideanote.io]
https://ideas.redacted.co [200] [9330] [Ideanote] [custom-domain.ideanote.io]
https://ideate.redacted.to [200] [10296] [Redacted ****] [custom-domain.ideanote.io]root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN CNAME custom-domain.ideanote.io.
Vulnerable identification
With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Title : Ideanote
— Body : The subdomain ideas doesn’t exist
— Status code : 200
— Connected to this cname : custom-domain.ideanote.io
How to Custom domain
Well, besides you can see directly how to custom domain from the official article https://help.ideanote.io/article/muqxtabfk2-how-to-add-a-custom-domain, or you can follow my explanation below :
After you successfully create an account, it will be directed to a subdomain under the root domain of ideanote. Then to add a domain you can access the workspace menu, there is a section to enter the domain.
In that menu you can also change the title, description, etc
Successful takeover
Finally, the subdomain should look like Image 5 below once it has been successfully taken over.
Thanks
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/
