Subdomain takeover and Text injection on a 404 error page-$100 bounty

Hello everyone! I’m Jeewan Bhatta and I am here with my first hackerone bug write-up. Hope you all are doing great. So now I am gonna tell the story about how normal recon process helped me to get a $100 bounty and amazingly this is my second bounty (first one on hackerone). Ok, now lets get into this ..

Vulnerability Description: Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. Heroku pages, Unbounce, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

Content spoofing, also referred to as content injection, “arbitrary text injection” is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

So during the normal recon process, I collected the possible subdomain of the target(say target.com) and sent it to “httpstatus.io” to check for the status code. Then, I started manually checking all the 404 status code subdomains. Then one subdomain “subdomain.target.com” was showing 404 error msg and I checked the CNAME (dig subdomain.target.com) and was pointing to herokudns. Also the page was vulnerable to text injection. I was able to modify the content of the page. Due to paid subscription I was unable to add custom domain on heroku but managed to report them. Luckily the team triaged the report and resolved the issue.

Report Timeline

Reported: 15 July 2022

Review,Triaged and resolved: 16 July 2022

Bounty Amount: $100