Domain takeover via wix.com

[kenziy]

Service name

https://www.wix.com/

Proof

#Fingerprint
Looks Like This Domain Isn't Connected To A Website Yet!

#Steps

1. Register to wix
2. Create a new site
3. Publish > Connect your own customized domain (Need premium account)
   
4. Add the vulnerable domain
5. Publish

#NOTE for subdomains
"You cannot connect a subdomain in your Wix account if the main domain is in a different Wix account. You must create the subdomain in the same Wix account as the main domain."
https://support.wix.com/en/article/connecting-a-subdomain-to-a-site-in-your-wix-account

Cheers
Kenziy

[pdelteil]

This is an edge case. It would only work if the account was deleted.

I still have a premium account if someone wants to test the take over.

[pdelteil]

More info: https://hackerone.com/reports/1256389

[monizb]

Wix.com - not Vulnerable #245

Can I please have your account for a test?

[pdelteil]

I can confirm this takeover still works. It's an edge case since there are conditions that allow the subdomain to be register in another account.

I did the take over on a particular subdomain and only worked, all the others (same program) didn't work.

[akincibor]

Hi,

It's possible even if the root domain is in another account. When you publish your site and have a premium account, go to connect a domain.

Then choose I'm looking for a subdomain :

When you enter your subdomain, you will have some step to complete like connect to your root domain account and add DNS/CNAME but they are already done by the target team.

So just go at the end and click verify.

Even after that, you will maybe see nothing but just go to https://manage.wix.com/account/domains and you will see that verification passed but it's again under check. I think the wix support team double check manually to validate ? You will have your response after 48 hours.

I think if we can impersonate the target, or maybe due to wix support mistakes, you can takeover the subdomain even if the main domain is in a different account.

[mazin208]

Does anyone has a premium account I can check with please?

[cyb3rsalih]

It doesn't work, If another account have the domain

[mazin208]

How can I know if another account has the domain without having premium account 😅💔

[cyb3rsalih]

How can I know if another account has the domain without having premium account 😅💔

you have to buy 🤷‍♂️ You can request refund after trying. The monthly package is not so expensive i think :)

[trilokdhaked]

please provide wix-takeover bug report format .

[vionde]

I tried this rn and got domain connected to different account. Despite having a moneyback opportunity, I copied some endpoints that can show is domain available or not. I do my tests against root domain, so for subdomain it may vary. You can use it even without premium plan

I show JSON body for domain google.net as example

POST /_serverless/premium-domains-serverless/domain-search/domain-data HTTP/1.1
Host: manage.wix.com
Cookie: <COOKIES>

{"parsedDomain":{"input":"google.net","main":"google.net","tld":"net","sld":"google","subdomain":null,"isValidTld":true,"formattedInput":"google.net"}}

JSON body variables pretty obviously, so you can try for subdomain, just insert your parts of the domain

[waelahmed-dev]

Can anyone help me for testing takeover with premium account? my twitter: @waeldevx

[sam5epi0l]

Anyone have premium account? my twitter: @sam5epi0l

[N-N33]

If anyone can share their wix premium so I can test a particular subdomain for takeover I'm willing to split the bounty if I get any.

Send me what ever platform username you want me to reach you at.