Subdomain Takeover through Webflow about can-i-take-over-xyz HOT 36 OPEN

Weblow requires a TXT verification.

from can-i-take-over-xyz.

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

from can-i-take-over-xyz.

You can claim a subdomain but needs TXT verification which means you cannot publish a site so it is useless (takeover not possible).. unless someone finds a "bypass" in the future.

from can-i-take-over-xyz.

This is not vulnerable. I just tried it on an endpoint that was hosted on Webflow and had 404 on both HTTP and HTTPS.

from can-i-take-over-xyz.

-Create webflow account and upgrade to basic paid option
-Create blank site
-Go to project settings > hosting
-Scroll down to custom domains section and add vulnerable domain

-Signature of takeover is webflow 404 same as OP.

Takeover is not possible when owner parked the custom domain but not published the site. This scenario would still produce a webflow 404 therefore can be marked as edge case.

Regards

from can-i-take-over-xyz.

@0xc0ffeee If the custom domain is registered but the site is not published you will see webflow 404 page but be unable to register the domain. In this scenario you will get a false positive hence my advice to update this to edge case.

from can-i-take-over-xyz.

Hi everyone,

Just manage to takeover several subdomains on the same target (H1 private prgm) and I have a theory explaining some false positive.

I observed a webflow 404 on several subdomains of my target:

• aaa.victim.com
• bbb.victim.com
• ccc.victim.com

Webflow let me add these subdomains on my dummy website but unfortunately, when I visit them, still got webflow 404.

I thought it was false positive.

Several days later, I remember that Webflow allow to mark one of your custom domain "default":

So if the subdomains I discovered are linked to another "default" one, I will only be able to takeover all if I found the "default" subdomain.

I'm on this target since of few month so I manage to quickly found a past webflow subdomain zzz.victim.com (Now unreachable but still in victim.com webflow account). So I added this subdomain on my own webflow account and the magic happened.

So try to see if your target has several subdomains (even old one, no more online) linked to Webflow.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

Yes, Webflow is vulnerable. I did takeover one subdomain using it and published a write-up on this vulnerability

from can-i-take-over-xyz.

I recently reported a takeover on a program at intigriti using Webflow , but you have to buy a premium inorder to achieve this.

from can-i-take-over-xyz.

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

from can-i-take-over-xyz.

I just tried doing takeover and i can confirm it is not vulnerable anymore .

All the options it gives to add custom domain asks for txt verification , Thus NOT VULNERABLE

from can-i-take-over-xyz.

Thank you for the update, can you please show the initial screenshot of "404" page

from can-i-take-over-xyz.

I can confirm that it is not vulnerable anymore,
Thanks for keeping us updated.

from can-i-take-over-xyz.

Webflow sites are still vulnerable to takeover so you may want to change this

Just had a report triaged to confirm.

regards

from can-i-take-over-xyz.

Can you please share steps to takeover subdomain through webflow.

from can-i-take-over-xyz.

Thank you for the update.

from can-i-take-over-xyz.

Interesting. I had a "404 Not Found" response on a webflow website but I was still not able to complete the takeover.

I would receive the following error: "That domain is already connected to a Webflow site."

Mind sharing more information without disclosing the target? @PjMpire

from can-i-take-over-xyz.

Hey everyone, is Webflow subdomain takeover still possible? Thanks.
@PjMpire @Avileox

from can-i-take-over-xyz.

https://university.webflow.com/lesson/connect-a-custom-domain everybody,can see this vdio~

from can-i-take-over-xyz.

@szd,

Thanks for your detailed explanation.

from can-i-take-over-xyz.

I just confirmed here, I managed to claim domains in a pentest.

from can-i-take-over-xyz.

Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.

Recently i was able to claim 4 subdomains pointing to webflow service among which three subdomain gave the following error :

If you come across the above look alike subdomain page , then its vulnerable.

Also note that some webflow hosted vulnerable subdomains may result in Error : SSL_PROTOCOL_ERROR , when you visit them , i was able to claim this one too in my webflow account.

Keep in mind: Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Hosting domain is in paid plan of webflow $15/month.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

hi dude if target.dom.com is showing valid content and its cname is giving 404 can it be taken over???

from can-i-take-over-xyz.

I just took over a sub-domain with webflow. It works but requires a premium plan ! It's a paid sub-domain takeover ;)

from can-i-take-over-xyz.

same here still vulnerable if you have a premium account

from can-i-take-over-xyz.

hey guys @PjMpire @saurabhss06 @bunny0417
i have a website, the same error is coming but not on any subdomain, but on the domain itself,

lets say this page on the domain
https://abc.com/careers/junior-software-engineers
https://usabilityhub.com/assets/app_libraries-5eab97030d19c3cfa7406ed6d0067a.js

the same error comes and i have cross checked it is of the webflow only,
so any idea if further exploitation is possible in any way

from can-i-take-over-xyz.

I don't think its vulnerable or takeorable, Its a custom page.

from can-i-take-over-xyz.

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

from can-i-take-over-xyz.

hey guys @PjMpire @saurabhss06 @bunny0417 do you have any idea, Is it possible to takeover this anymore? If anyone can confirm, it'll be very helpful to the community.

Thanks in advance.

from can-i-take-over-xyz.

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

Does it still vulnerable?

from can-i-take-over-xyz.

hey guys ,
Does it still vulnerable?

from can-i-take-over-xyz.

Hi any update on this
Did you find any bypass for this ?

from can-i-take-over-xyz.

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

???

from can-i-take-over-xyz.

Hi,

It's not vulnerable, I just tried, it will ask for txt verification

from can-i-take-over-xyz.