Fastly Subdomain Takeover $2000 - Pentestmag

Fastly Subdomain Takeover $2000

Fastly Subdomain Takeover $2000

Bug Bounty — From zero to HERO

by Alexandar Thangavel AKA ValluvarSploit

# Passive Subdomain Enumeration using Google Dorking
site:* -www -www1 -blog
site:*.* -product

# Passive Subdomain Enumeration using OWASP Amass
amass enum -passive -d -config config.ini -o amass_passive_subs.txt

# Subdomain Brute force using Gobuster
gobuster dns -d -w wordlist.txt - show-cname - no-color -o gobuster_subs.txt
# Merging subdomains into one file
cat google_subs.txt amass_passive_subs.txt gobuster_subs.txt | anew subdomains.txt
# Enumerate CNAME records
./ -l subdomains.txt -o cnames.txt

# We can use HTTPX tool as well
httpx -l subdomains.txt -cname cnames.txt
# Probe for live HTTP/HTTPS servers
httpx -l subdomains.txt -p 80,443,8080,3000 -status-code -title -o servers_details.txt
DNS query for CNAME record [500] [246] [Fastly error: unknown domain]


Claimed domain on Fastly
mkdir hosting

cd hosting

nano index.html
<!DOCTYPE html>

    <head><title>STO PoC</title></head>
        <h1>ValluvarSploit PoC</h1>
python3 -m http.server 80
VPS Configuration
Proof of Concept
Monitoring server logs for fun

Originally posted at:

January 10, 2023
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013