Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subdomain Takeover through Webflow #44

Open
Avileox opened this issue Sep 21, 2018 · 40 comments
Open

Subdomain Takeover through Webflow #44

Avileox opened this issue Sep 21, 2018 · 40 comments
Assignees
Labels
not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers.

Comments

@Avileox
Copy link
Contributor

Avileox commented Sep 21, 2018

Service name
webflow

Website
https://webflow.com/

Report
https://hackerone.com/reports/399165

Subdomain takeover through webflow is possible but for creating POC you need a paid account because webflow need a paid account for creating subdomains and using web hosting through webflow.

@codingo codingo added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Oct 14, 2018
@0xc0ffeee
Copy link

This is not vulnerable. I just tried it on an endpoint that was hosted on Webflow and had 404 on both HTTP and HTTPS.
webflow

@Avileox
Copy link
Contributor Author

Avileox commented May 16, 2019

Thank you for the update, can you please show the initial screenshot of "404" page

@0xc0ffeee
Copy link

404_-_Page_not_found

@Avileox
Copy link
Contributor Author

Avileox commented May 17, 2019

I can confirm that it is not vulnerable anymore,
Thanks for keeping us updated.

@codingo codingo added not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. and removed vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. labels May 17, 2019
@codingo codingo self-assigned this May 17, 2019
@PjMpire
Copy link

PjMpire commented Sep 2, 2019

Webflow sites are still vulnerable to takeover so you may want to change this

Just had a report triaged to confirm.

regards

@Avileox
Copy link
Contributor Author

Avileox commented Sep 2, 2019

Can you please share steps to takeover subdomain through webflow.

@PjMpire
Copy link

PjMpire commented Sep 2, 2019

-Create webflow account and upgrade to basic paid option
-Create blank site
-Go to project settings > hosting
-Scroll down to custom domains section and add vulnerable domain

-Signature of takeover is webflow 404 same as OP.

Screenshot_3

Takeover is not possible when owner parked the custom domain but not published the site. This scenario would still produce a webflow 404 therefore can be marked as edge case.

Regards

@Avileox
Copy link
Contributor Author

Avileox commented Sep 2, 2019

Thank you for the update.

@0xc0ffeee
Copy link

Interesting. I had a "404 Not Found" response on a webflow website but I was still not able to complete the takeover.

I would receive the following error: "That domain is already connected to a Webflow site."

Mind sharing more information without disclosing the target? @PjMpire

@PjMpire
Copy link

PjMpire commented Sep 3, 2019

@0xc0ffeee If the custom domain is registered but the site is not published you will see webflow 404 page but be unable to register the domain. In this scenario you will get a false positive hence my advice to update this to edge case.

webflow 1

@mrsin15
Copy link

mrsin15 commented Apr 14, 2021

Hey everyone, is Webflow subdomain takeover still possible? Thanks.
@PjMpire @Avileox

@Captain0X
Copy link

https://university.webflow.com/lesson/connect-a-custom-domain everybody,can see this vdio~

@szd
Copy link

szd commented Nov 19, 2021

Hi everyone,

Just manage to takeover several subdomains on the same target (H1 private prgm) and I have a theory explaining some false positive.

I observed a webflow 404 on several subdomains of my target:

  • aaa.victim.com
  • bbb.victim.com
  • ccc.victim.com

Webflow let me add these subdomains on my dummy website but unfortunately, when I visit them, still got webflow 404.

I thought it was false positive.

Several days later, I remember that Webflow allow to mark one of your custom domain "default":

60b6a9678bebf79daaf42a75_Set-a-default-domain_1

So if the subdomains I discovered are linked to another "default" one, I will only be able to takeover all if I found the "default" subdomain.

I'm on this target since of few month so I manage to quickly found a past webflow subdomain zzz.victim.com (Now unreachable but still in victim.com webflow account). So I added this subdomain on my own webflow account and the magic happened.

So try to see if your target has several subdomains (even old one, no more online) linked to Webflow.

@pdelteil
Copy link
Contributor

@szd,

Thanks for your detailed explanation.

@arthur4ires
Copy link

I just confirmed here, I managed to claim domains in a pentest.

@x1mdev
Copy link

x1mdev commented Mar 18, 2022

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

@abd-4fg
Copy link

abd-4fg commented May 19, 2022

Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.

Recently i was able to claim 4 subdomains pointing to webflow service among which three subdomain gave the following error :
Before_(404_status)
If you come across the above look alike subdomain page , then its vulnerable.

Also note that some webflow hosted vulnerable subdomains may result in Error : SSL_PROTOCOL_ERROR , when you visit them , i was able to claim this one too in my webflow account.

Keep in mind: Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Hosting domain is in paid plan of webflow $15/month.

@Captain0X
Copy link

Captain0X commented May 19, 2022 via email

@0xmaruf
Copy link

0xmaruf commented Sep 8, 2022

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

hi dude if target.dom.com is showing valid content and its cname is giving 404 can it be taken over???

@codedbrain
Copy link

codedbrain commented Oct 1, 2022

I just took over a sub-domain with webflow. It works but requires a premium plan ! It's a paid sub-domain takeover ;)

@muhammadahmad62
Copy link

same here still vulnerable if you have a premium account

@saurabhss06
Copy link

Yes, Webflow is vulnerable. I did takeover one subdomain using it and published a write-up on this vulnerability

@bunny0417
Copy link

bunny0417 commented Jul 6, 2023

I recently reported a takeover on a program at intigriti using Webflow , but you have to buy a premium inorder to achieve this.

@rudram4
Copy link

rudram4 commented Jul 26, 2023

hey guys @PjMpire @saurabhss06 @bunny0417
i have a website, the same error is coming but not on any subdomain, but on the domain itself,

lets say this page on the domain
https://abc.com/careers/junior-software-engineers
https://usabilityhub.com/assets/app_libraries-5eab97030d19c3cfa7406ed6d0067a.js

the same error comes and i have cross checked it is of the webflow only,
so any idea if further exploitation is possible in any way
image

@saurabhss06
Copy link

I don't think its vulnerable or takeorable, Its a custom page.

@zy9ard3
Copy link

zy9ard3 commented Oct 9, 2023

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

@ByQwert
Copy link

ByQwert commented Oct 12, 2023

Weblow requires a TXT verification.
image

@VictimV59
Copy link

hey guys @PjMpire @saurabhss06 @bunny0417 do you have any idea, Is it possible to takeover this anymore? If anyone can confirm, it'll be very helpful to the community.

Thanks in advance.

@xElkomy
Copy link

xElkomy commented Nov 19, 2023

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

Does it still vulnerable?

@drocapy
Copy link

drocapy commented Jan 6, 2024

hey guys ,
Does it still vulnerable?
404

@testusername911
Copy link

You can claim a subdomain but needs TXT verification which means you cannot publish a site so it is useless (takeover not possible).. unless someone finds a "bypass" in the future.
Screenshot 2024-01-17 at 4 39 40 PM

@Kools-cmd
Copy link

Kools-cmd commented Feb 18, 2024

Hi any update on this
Did you find any bypass for this ?

@ronsteph
Copy link

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

@nakib85
Copy link

nakib85 commented Mar 29, 2024

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

???

@MuhammadUsman-coder
Copy link

I just tried doing takeover and i can confirm it is not vulnerable anymore .

All the options it gives to add custom domain asks for txt verification , Thus NOT VULNERABLE

@nvk0x
Copy link

nvk0x commented Apr 18, 2024

Hi,

It's not vulnerable, I just tried, it will ask for txt verification

paulf69487623 pushed a commit to yahoo/SubdomainSleuth that referenced this issue May 28, 2024
This hasn't been tested, because you need a paid account.

See EdOverflow/can-i-take-over-xyz#44 for more details.
@HackerSSG
Copy link

following

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

@HackerSSG
Copy link

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

@KAFILTAFISH21
Copy link

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

+1

I am also in search for credentials for testing :|

@abd-4fg
Copy link

abd-4fg commented Jul 22, 2024

@KAFILTAFISH21 @usmanzahid123999 Webflow subdomain takeover not possible anymore , read the above comments !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers.
Projects
None yet
Development

No branches or pull requests