Fastly Subdomain Takeover $2000

WHOAMI
My name is Alexandar Thangavel AKA ValluvarSploit, a full-time bug hunter and trainer. I love recon. I am the founder and CEO of ValluvarSploit Security. At ValluvarSploit Security, we are providing Bug Bounty training in one-to-one live sessions. For more information, please check our LinkedIn page.

OBJECTIVE
Today, I am going to share how I found Fastly subdomain takeover vulnerability and earn my first four digits bounty. Let’s get started.

BACKSTORY
This was started on October 2nd, 2022 Sunday. The day started as usual. I woke up at 6 AM, finished routine work, checked my Mobile data balance (1.3 GB was remaining), enabled my Mobile Hotspot, connected my Laptop, and resumed hunting on a private program. I spent a few hours on the target application but found nothing so took a short break. I used to revisit my old private programs at least once in six months. So, I reviewed my private invites, picked an old program and started performing subdomain enumeration (Let’s call our target as redacted.com).

SUBDOMAIN ENUMERATION
I started subdomain enumeration with Google Dorking, OWASP Amass and Gobuster tools.

# Passive Subdomain Enumeration using Google Dorking
site:*.redacted.com -www -www1 -blog
site:*.*.redacted.com -product

# Passive Subdomain Enumeration using OWASP Amass
amass enum -passive -d redacted.com -config config.ini -o amass_passive_subs.txt

# Subdomain Brute force using Gobuster
gobuster dns -d redacted.com -w wordlist.txt – show-cname – no-color -o gobuster_subs.txt

After enumerating subdomains, removed duplicate entries and merged them into a single file (subdomains.txt) using the Anew tool.

# Merging subdomains into one file
cat google_subs.txt amass_passive_subs.txt gobuster_subs.txt | anew subdomains.txt

Then passed the subdomains.txt file to my

Read more

Explore the site

More from the blog

Latest News