Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
| ## Subdomain Enumeration | |
| echo "Checking with Assetfinder!"; | |
| assetfinder -subs-only fb.com >> ~/results/fb.com/subs/assetfinder.txt; | |
| echo "Checking with Subfinder!"; | |
| subfinder -d fb.com -recursive -silent -all -t 500 -o ~/results/fb.com/subs/subfinder.txt; | |
| echo "Checking with Sublist3r!"; | |
| sublist3r -d fb.com -n -t 500 -o ~/results/fb.com/subs/sublist3r.txt; | |
| echo "Checking with Amass!"; | |
| amass enum -passive -norecursive -noalts -d fb.com -o ~/results/fb.com/subs/amass.txt; | |
| ## Subdomain Concatenation | |
| cat ~/results/fb.com/subs/*.txt > ~/results/fb.com/subs.txt; | |
| ## Subdomain Enumeration Cleanup | |
| rm -rf ~/results/fb.com/subs; | |
| ## Subdomain Enumeration Results | |
| sort -u ~/results/fb.com/subs.txt -o ~/results/fb.com/subs.txt | |
| ## Elastic Beanstalk Checker | |
| while IFS= read -r domain; do | |
| if dig +short $domain | grep elasticbeanstalk; then echo $domain | tee -a ~/results/fb.com/elasticbeanstalk.txt; fi; | |
| done < ~/results/fb.com/subs.txt |
Hello @nukats,
I am not sure about why they paid only $500 for this, and I have questioned them about it, and looking forward to hearing their response.
One thing that they had said while rewarding the bounty amount is, "The payout amount reflects the fact that fb.com domain is predominantly used for microsites and static content."
I hope this clears your question, and I will let you know again if I hear back from the team with more information.
Thanks,
Binit Ghimire
@TheBinitGhimire
Hello,
I think is no longer possible to perform this take over? I can't create a custom env. URL.
Can you confirm?
Hello @pdelteil,
I think you tried to create an application at Elastic Beanstalk, so you weren't able to define a custom URL. Can you once try creating an environment?
I just tried, and I'm still able to define custom URLs without any random strings added to the URL.
Here is an image showing what I did to verify just now!
If you have any further queries, please let me know!
Thanks,
Binit
Thank you for your quick answer. There's something odd, that dialog appeared when I created the second environment and not while creating the first.
Why did they only pay 500$ what was their reason?