Subdomain takeover via Frill.co

KreSec
2 min readSep 9, 2023

--

Frill — A Customer feedback, Roadmap and Announcements tool.

Image 1. Addable to Frill

Why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More

Exploitation

I have prepared a target list to find which subdomain has the cname “cname.frill.co” as for the command, I only use the httpx tool.

root@kresec:~# cat frill | httpx -cname -sc -title -fr -silent 
https://changelog.redacted.com [200] [Submit your feature ideas] [cname.frill.co]
https://customers.redacted.io [200] [Submit your feature ideas] [cname.frill.co]
http://feedback.redacted_vuln.co [302,200] [] [cname.frill.co] [https://feedback.redacted_vuln.co/]
https://build.redacted.com [200] [Submit your feature ideas | Frill.co] [cname.frill.co]
http://feedback.redacted.com [302,200] [Submit your feature ideas] [cname.frill.co] [https://feedback.redacted.com/]
https://feedback.redacted_vuln.app [200] [] [cname.frill.co]

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Has no title / is empty,
— The text “Oh dear We couldn’t find that company” appears in the body
However I still find there are subdomains that can’t be taken over.

How to custom domain

I don’t want to explain too long here, the official Frill article is quite clear and complete to know how to do a custom domain. Open this article : https://help.frill.co/article/88-setting-up-a-custom-domain

Image 2. Alerts that appear if the site is vulnerable

See Image 2. after you follow the frill article above, if the site is really vulnerable it will raise an allert “Added sub.redacted.com”

Successful takeover

Lastly, the subdomain will look like this after it is successfully taken over.

Image 3. succesful takeover
Yeahh!

Thanks

Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/

--

--