Frill — A Customer feedback, Roadmap and Announcements tool.
I am Hasyim, Founder of VulnShot.com (Vulnerability Management From Nuclei CLI)
Why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More
I have prepared a target list to find which subdomain has the cname “cname.frill.co” as for the command, I only use the httpx tool.
root@kresec:~# cat frill | httpx -cname -sc -title -fr -silent
https://changelog.redacted.com  [Submit your feature ideas] [cname.frill.co]
https://customers.redacted.io  [Submit your feature ideas] [cname.frill.co]
http://feedback.redacted_vuln.co [302,200]  [cname.frill.co] [https://feedback.redacted_vuln.co/]
https://build.redacted.com  [Submit your feature ideas | Frill.co] [cname.frill.co]
http://feedback.redacted.com [302,200] [Submit your feature ideas] [cname.frill.co] [https://feedback.redacted.com/]
https://feedback.redacted_vuln.app   [cname.frill.co]
With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Has no title / is empty,
— The text “Oh dear We couldn’t find that company” appears in the body
However I still find there are subdomains that can’t be taken over.
How to custom domain
I don’t want to explain too long here, the official Frill article is quite clear and complete to know how to do a custom domain. Open this article : https://help.frill.co/article/88-setting-up-a-custom-domain
See Image 2. after you follow the frill article above, if the site is really vulnerable it will raise an allert “Added sub.redacted.com”
Lastly, the subdomain will look like this after it is successfully taken over.
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community