Comments (36)
Weblow requires a TXT verification.
from can-i-take-over-xyz.
I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com
to proxy-ssl.webflow.com
. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com
confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.
Apparently, this is a pay2win Subdomain Takeover :p
from can-i-take-over-xyz.
You can claim a subdomain but needs TXT verification which means you cannot publish a site so it is useless (takeover not possible).. unless someone finds a "bypass" in the future.
from can-i-take-over-xyz.
This is not vulnerable. I just tried it on an endpoint that was hosted on Webflow and had 404 on both HTTP and HTTPS.
from can-i-take-over-xyz.
-Create webflow account and upgrade to basic paid option
-Create blank site
-Go to project settings > hosting
-Scroll down to custom domains section and add vulnerable domain
-Signature of takeover is webflow 404 same as OP.
Takeover is not possible when owner parked the custom domain but not published the site. This scenario would still produce a webflow 404 therefore can be marked as edge case.
Regards
from can-i-take-over-xyz.
@0xc0ffeee If the custom domain is registered but the site is not published you will see webflow 404 page but be unable to register the domain. In this scenario you will get a false positive hence my advice to update this to edge case.
from can-i-take-over-xyz.
Hi everyone,
Just manage to takeover several subdomains on the same target (H1 private prgm) and I have a theory explaining some false positive.
I observed a webflow 404 on several subdomains of my target:
- aaa.victim.com
- bbb.victim.com
- ccc.victim.com
Webflow let me add these subdomains on my dummy website but unfortunately, when I visit them, still got webflow 404.
I thought it was false positive.
Several days later, I remember that Webflow allow to mark one of your custom domain "default":
So if the subdomains I discovered are linked to another "default" one, I will only be able to takeover all if I found the "default" subdomain.
I'm on this target since of few month so I manage to quickly found a past webflow subdomain zzz.victim.com (Now unreachable but still in victim.com webflow account). So I added this subdomain on my own webflow account and the magic happened.
So try to see if your target has several subdomains (even old one, no more online) linked to Webflow.
from can-i-take-over-xyz.
from can-i-take-over-xyz.
Yes, Webflow is vulnerable. I did takeover one subdomain using it and published a write-up on this vulnerability
from can-i-take-over-xyz.
I recently reported a takeover on a program at intigriti using Webflow , but you have to buy a premium inorder to achieve this.
from can-i-take-over-xyz.
Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm
from can-i-take-over-xyz.
I just tried doing takeover and i can confirm it is not vulnerable anymore .
All the options it gives to add custom domain asks for txt verification , Thus NOT VULNERABLE
from can-i-take-over-xyz.
Thank you for the update, can you please show the initial screenshot of "404" page
from can-i-take-over-xyz.
I can confirm that it is not vulnerable anymore,
Thanks for keeping us updated.
from can-i-take-over-xyz.
Webflow sites are still vulnerable to takeover so you may want to change this
Just had a report triaged to confirm.
regards
from can-i-take-over-xyz.
Can you please share steps to takeover subdomain through webflow.
from can-i-take-over-xyz.
Thank you for the update.
from can-i-take-over-xyz.
Interesting. I had a "404 Not Found" response on a webflow website but I was still not able to complete the takeover.
I would receive the following error: "That domain is already connected to a Webflow site."
Mind sharing more information without disclosing the target? @PjMpire
from can-i-take-over-xyz.
Hey everyone, is Webflow subdomain takeover still possible? Thanks.
@PjMpire @Avileox
from can-i-take-over-xyz.
https://university.webflow.com/lesson/connect-a-custom-domain everybody,can see this vdio~
from can-i-take-over-xyz.
@szd,
Thanks for your detailed explanation.
from can-i-take-over-xyz.
I just confirmed here, I managed to claim domains in a pentest.
from can-i-take-over-xyz.
Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Recently i was able to claim 4 subdomains pointing to webflow service among which three subdomain gave the following error :
If you come across the above look alike subdomain page , then its vulnerable.
Also note that some webflow hosted vulnerable subdomains may result in Error : SSL_PROTOCOL_ERROR , when you visit them , i was able to claim this one too in my webflow account.
Keep in mind: Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Hosting domain is in paid plan of webflow $15/month.
from can-i-take-over-xyz.
from can-i-take-over-xyz.
I was able to claim a dangling Webflow subdomain just now; CNAME pointed from
sub.victim.com
toproxy-ssl.webflow.com
. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating tosub.victim.com
confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.Apparently, this is a pay2win Subdomain Takeover :p
hi dude if target.dom.com is showing valid content and its cname is giving 404 can it be taken over???
from can-i-take-over-xyz.
I just took over a sub-domain with webflow. It works but requires a premium plan ! It's a paid sub-domain takeover ;)
from can-i-take-over-xyz.
same here still vulnerable if you have a premium account
from can-i-take-over-xyz.
hey guys @PjMpire @saurabhss06 @bunny0417
i have a website, the same error is coming but not on any subdomain, but on the domain itself,
lets say this page on the domain
https://abc.com/careers/junior-software-engineers
https://usabilityhub.com/assets/app_libraries-5eab97030d19c3cfa7406ed6d0067a.js
the same error comes and i have cross checked it is of the webflow only,
so any idea if further exploitation is possible in any way
from can-i-take-over-xyz.
I don't think its vulnerable or takeorable, Its a custom page.
from can-i-take-over-xyz.
Any updates on this takeover ???
Is this still possible ???
I'm experiencing enforced requirement for mandatory TXT verification !!
from can-i-take-over-xyz.
hey guys @PjMpire @saurabhss06 @bunny0417 do you have any idea, Is it possible to takeover this anymore? If anyone can confirm, it'll be very helpful to the community.
Thanks in advance.
from can-i-take-over-xyz.
Any updates on this takeover ???
Is this still possible ???
I'm experiencing enforced requirement for mandatory TXT verification !!
Does it still vulnerable?
from can-i-take-over-xyz.
hey guys ,
Does it still vulnerable?
from can-i-take-over-xyz.
Hi any update on this
Did you find any bypass for this ?
from can-i-take-over-xyz.
Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm
???
from can-i-take-over-xyz.
Hi,
It's not vulnerable, I just tried, it will ask for txt verification
from can-i-take-over-xyz.
Related Issues (20)
- Squarespace Subdomain Takeover on EdgeCase as Domain Not Claimed HOT 1
- (Page Not Found) pointing to cdne-myjls-admin-int.azureedge.net ( IS THIS VULNERABLE??)
- is this vulnerable?
- Is mailgun.org still vulnerable?? HOT 4
- (404 Web Site not found) Microsoft Azure vulnerable?
- Is fillout.com vulnerable?
- Gemfury fingerprint is very prone to false positiver HOT 1
- cannot set a custom domain at this time.
- squadcast subdomain takeover
- Okta is NOT vulnerable
- Helpscout subdomain takeover HOT 1
- stage-portal Canada Dns? HOT 3
- Subdomain takeover via helpdocs.io
- Subdomain Takeover via Gohire HOT 2
- Does "Sorry, this store is currently unavailable" mention to shopify subdomain takeover? HOT 7
- Subdomain takeover
- Subdomain HOT 1
- Vulunreable or not.. 404 error it will be saying in here .. HOT 2
- Discoure "trydiscourse.com" subdomain doesn't vulnerable
- Unable to determine the correct region to create S3 bucket for subdomain takeover. HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from can-i-take-over-xyz.