Statuspage service is still vulnerable .

[0xPrial]

On May 21, 2019 statuspage realised DNS Configuration Requirements according to what to use a Custom Domain with statuspage users have to do ownership verification by pointing their subdomains to [unique_string].stspg-customer.com .

So no more subdomain takeover ? According to #65 Statuspage no longer vulnerable . But while testing a bug bounty program site I was able to takeover their unclaimed subdomain what was pointing to [unique_string].stspg-customer.com . The issue is Statuspage is serving contents to a domain before doing full proper DNS config validation .

In case of my testing with company subdomain status.site.com was pointing to CNAME xxxz3xqnrnmx.stspg-customer.com but when I added it to a page's Custom domain in Statuspage service it asked me to update your DNS for it to work & DNS config page Expected value was yyybgwgbwg25.stspg-customer.com .

Clicking on Record revalidate says It doesn't look like the correct record has been set yet. as status.site.com was pointing to CNAME xxxz3xqnrnmx.stspg-customer.com what is completely different from Expected value yyybgwgbwg25.stspg-customer.com . But ignore it ;)

But when I visited status.site.com in browser it redirected me to https://takeovered-by-prial261.statuspage.io . So without proper validation of ownership of the domain I got ability to share contents on it .

curl -I "http://status.site.com"
HTTP/1.1 302 Found
Vary: Accept,Accept-Encoding,X-Forwarded-Host,X-Forwarded-Scheme,X-Forwarded-Proto,Fastly-SSL
Cache-Control: no-cache
X-Cache: MISS
Content-Type: text/html; charset=utf-8
X-Request-Id: eaf9fc9f-2baa-4df1-8076-9a343d45b48f
Date: Tue, 02 Jul 2019 14:02:41 GMT
X-Download-Options: noopen
Location: https://takeovered-by-prial261.statuspage.io
X-XSS-Protection: 1; mode=block
X-Runtime: 0.015781
Transfer-Encoding: chunked
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
X-StatusPage-Skip-Logging: true
Connection: Keep-Alive
X-StatusPage-Version: 38aad01002854afe2672ef5c81d01153423444e7
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Age: 0

So attacker can claim a subdomain of a user without proper validation and serve contents on the subdomain .

Best Regards
Prial

[EdOverflow]

Thank you for the pull request, @prial261. Please update the issue ticket with these details , link directly to your comment in the table reference, and then please add an actual fingerprint if possible in the "Fingerprint" column. I am trying to keep the table as uniform as possible; thank you for your understanding.

[EdOverflow]

Thank you, @prial261.

[JLLeitschuh]

Has someone informed Statuspage about this?

[0xPrial]

@JLLeitschuh , Informed . No replay from them :')

[shubham4500]

@prial261 what about this scenario ?
status.company.com. 299 IN CNAME company.statuspage.io.
company.statuspage.io. 59 IN CNAME elb-status-us.statuspage.io.
elb-status-us.statuspage.io. 59 IN A 18.234.32.149

[0xPrial]

Looks like time to say good bye Subdomain takeover by Statuspage

[melardev]

If I am not wrong statuspage was known to be vulnerable before you created this issue. If what I have just said is true, I don't agree with taking an exact copy of the knowledge from this repository or another source and try to make money out of it.
This is like the guy who reported to Shopify, we all know about it including Shopify and he went ahead to report it and try to make some money with an exact copy of the knowledge someone else shared with all of us.
That would be very easy then, I go to the table at https://github.com/EdOverflow/can-i-take-over-xyz
and take all the services "Vulnerable" and report to them, that would be silly in my opinion.
The gift is the knowledge, not the bug. I mean, if somebody shares something, he shares the information and not a report for free.
Anyway, congratulations for the reward.

[0xPrial]

@melardev , no you are wrong . Before creating this pull statuspage was Not Vulnerable . According to #65 Statuspage no longer vulnerable what was created before my pull then I discovered that they are not doing proper verification of ownership what can be bypassed and that's why I reported it to them to let them know and I also wasn't expecting a bounty for that report and also this is not about earning $$$ , If I wish to do that then I would search for vulnerable companies rather then reporting to directly to the company .

You can see more info from :- https://help.statuspage.io/help/domain-ownership

cheers

[melardev]

@prial261 I was not making an accusation against you because I was not quite sure,
I knew it was vulnerable in the past, but I did not check if they fixed this before you opened this issue, but I still wanted to leave this comment for others, because even though it is not applicable against you, it may be for others, I have seen many times people taking the "Vulnerable" services posted here and reporting to them to make money, which is crazy, it is like if I take the Citrix exploit disclosed by "Project Zero India" and report it to Citrix claiming I found a bug in their software ...
Here we have one cool example of what I have just said: #127

No hate to nobody, just saying what I think is fairer and more respectful to the original finders.

[0xPrial]

Hi @melardev ,
I understand your side , you are right that it is not ethical to use others ideas claiming as yours to make money . I also didn't thought about reporting it as reporting will result good by to takeover forever but then I understand that if I don't report someone will do it for sure 😄

[JLLeitschuh]

I'm surprised Atlassian was fine with this being publicly disclosed before they fixed it. Their BB program explicitly calls out disclosure is only allowed if they agree to disclosure.

[0xPrial]

@JLLeitschuh , Sadly I though to report it after pulling it here , I also added this link as reference in that report too .

[bsysop]

Looks no more vulnerable (maybe in some old specific cases, or maybe in cases where some box share same dns pointing..)

[sumgr0]

Recently, I've come across a subdomain "xyz.program.com" pointing to statuspage services. I'm able to add the subdomain to my statuspage account.

This was not working for couple of other programs, and I would get the message, the Custom domain is already in use.

In the past, on completion of setting up the custom domain to your page, when visiting the custom domain (without activating) would redirect you to your page, hence confirming the takeover. The POC would required a $29 plan to redirect to work for the public.

Now, for the "xyz.program.com" it is still redirecting to the statuspage homepage. Anyone aware if activating the account, would ensure the POC to be hosted. I do not want to spend $29, if it won't work.

Thanks
sumgr0

[daxin09pp]

Can stspg-customer.com subdomain still be taken over?

[0xPrial]

@daxin09pp , This issue was fixed from their side , so No more Takeover Possible . I will push update soon on this repo .

[daxin09pp]

Thank you for your quick reply. @prial261

[0xPrial]

Status page pushed a DNS verification in order to prevent malicious takeovers what they mentioned in https://support.atlassian.com/statuspage/docs/configure-your-dns/

However when I created this Pull request I was able to bypass this DNS verification as there was no mechanism what verifies if the expected value for customers CNAME record matches with the statuspage account what was fixed later after my report to their program.

So no more takeover here until any genius find any other way :D

Happy hacking <3