Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeronePeroniH1:165309
HistorySep 02, 2016 - 3:25 p.m.

Shopify: Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

2016-09-0215:25:15
peroni
hackerone.com
533
JSON

Hi,

I’ve found a Shopifu cdn domain here which had an instance of fastly setup but did not remove the dns record when the service was cancelled. a subdomain takeover similar to that of https://hackerone.com/reports/32825 could be possible.

Vulnerable URL: http://genghis-cdn.shopify.io

Page Response:

Fastly error: unknown domain: genghis-cdn.shopify.io. Please check that this domain has been added to a service.

Which indicate that this domain is point to fastly but there is no app in fastly with that name allowing anyone to claim it.
The subdomain “http://genghis-cdn.shopify.io/” is currently pointing to Fastly (shopify-e.map.fastly.net), but is not registered to a service.

$ host genghis-cdn.shopify.io
genghis-cdn.shopify.io is an alias for shopify-e.map.fastly.net.
shopify-e.map.fastly.net is an alias for prod.shopify-e.map.fastlylb.net.
prod.shopify-e.map.fastlylb.net has address 151.101.60.108

Thanks!

JSON