← back to lessons

Lesson: Statuspage takeover triage needs the Host-header / claimed-control discriminator, not the raw-CNAME 302

Banked: 2026-06-12 (Web2 passive sprawl recon, Spotify program) Class: subdomain-takeover / SaaS dangling-custom-domain Service: Atlassian Statuspage (*.stspg-customer.com)

The trap

When triaging a host CNAME'd to <token>.stspg-customer.com, fetching the RAW CNAME hostname (https://<token>.stspg-customer.com/) returns 302 -> https://www.statuspage.io with Server: AtlassianEdge for BOTH claimed AND unclaimed pages. Reason: Statuspage routes by the Host header (the configured custom domain). A request whose Host is the raw *.stspg-customer.com token does not match any custom domain, so it always bounces to the statuspage.io marketing root.

=> The raw-CNAME 302-to-statuspage.io is NOT, by itself, an unclaimed/takeover signal. False-positive risk if you stop there.

The correct discriminator

Fetch with the REAL host (real DNS / correct Host header) and compare against a claimed control on the same infra:

Always pull a sibling CLAIMED Statuspage on the same target as your control (e.g. on the Spotify target, status.megaphone.fm = claimed 200+x-statuspage-version was the control that proved status.adanalytics.spotify.com = dangling).

Heuristic rule: "Statuspage candidate = real-host fetch has NO x-statuspage-version AND bounces to statuspage.io; confirmed by contrast with a claimed sibling that DOES carry x-statuspage-version."

Pre-submit caveat (do not skip)

Atlassian added optional custom-domain VERIFICATION (TXT record) on some tiers. Before claiming a Statuspage takeover as exploitable, confirm free-tier custom-domain binding still works WITHOUT a verification step for that host. If verification is enforced, a dangling CNAME downgrades to informational. The passive dangling fingerprint is real regardless; exploitability hinges on the binding flow.

Generalizable

This "raw-CNAME response is identical for claimed and unclaimed; you must test with the real Host and a claimed control" pattern applies to any Host-routed SaaS (Statuspage, some CDN-fronted SaaS, multi-tenant platforms). Do not fingerprint takeover off the raw CNAME endpoint alone - route by the actual custom domain Host and diff against a known-claimed sibling.

Env note (not a target finding)

This sandbox intermittently drops the HTTPS GET body after a successful TLS handshake (code=000 / len=0) while the HTTP path returns cleanly. When HTTPS gives 000, fall back to HTTP-layer signal (status line, Location, Server) which was reliable here. Do not misread a sandbox-dropped HTTPS body as target behavior.

Generated 2026-07-02 13:15:05 UTC | auto-sync /15min