Proof of Concept: Subdomain Takeover

This page is proof of a vulnerability reported in good faith.
A low-privilege authenticated attacker can take over arbitrary *.statichost.eu and *.statichost.page subdomains and serve arbitrary content under valid HTTPS.

Takeover details

Researcher     : Tushar Sharma
Reported to    : statichost.eu security (via HackerOne handle @tushar6378)
Hijacked URL   : https://admin.statichost.eu/
Attacker site  : csan342 (owned by tushar6378+1@wearehackerone.com)
Method         : Setting primary_domain on attacker-owned site to admin.statichost.eu
                 via POST /csan342/settings/domains — no ownership verification.
Timestamp      : 2026-04-17 07:11:30 UTC

Why this is critical

Attacker can claim login.statichost.eu, billing.statichost.eu, support.statichost.eu, account.statichost.eu, etc. — all serve attacker content under a valid Let's Encrypt certificate.
Any customer subdomain whose build has failed (e.g., my-blog.statichost.eu) can be hijacked and replaced with attacker content.
No DNS, email, or HTTP challenge is performed to verify the claimed domain actually belongs to the attacker.
Combined with a phishing email this turns into a credible credential-theft / malware-distribution channel using a brand-authentic URL.

Suggested fix

Reject any primary_domain / redirect_domains that end in .statichost.eu or .statichost.page unless the sub-label matches the site's own managed_domain.
For external custom domains, require a DNS TXT verification or HTTP-01 challenge before activating.

This page will be removed immediately on request. Contact: Tushar via HackerOne handle tushar6378.