Subdomain Takeover through Webflow
Avileox opened this issue · comments
Service name
webflow
Website
https://webflow.com/
Report
https://hackerone.com/reports/399165
Subdomain takeover through webflow is possible but for creating POC you need a paid account because webflow need a paid account for creating subdomains and using web hosting through webflow.
This is not vulnerable. I just tried it on an endpoint that was hosted on Webflow and had 404 on both HTTP and HTTPS.
Thank you for the update, can you please show the initial screenshot of "404" page
I can confirm that it is not vulnerable anymore,
Thanks for keeping us updated.
Webflow sites are still vulnerable to takeover so you may want to change this
Just had a report triaged to confirm.
regards
Can you please share steps to takeover subdomain through webflow.
-Create webflow account and upgrade to basic paid option
-Create blank site
-Go to project settings > hosting
-Scroll down to custom domains section and add vulnerable domain
-Signature of takeover is webflow 404 same as OP.
Takeover is not possible when owner parked the custom domain but not published the site. This scenario would still produce a webflow 404 therefore can be marked as edge case.
Regards
Thank you for the update.
Interesting. I had a "404 Not Found" response on a webflow website but I was still not able to complete the takeover.
I would receive the following error: "That domain is already connected to a Webflow site."
Mind sharing more information without disclosing the target? @PjMpire
@0xc0ffeee If the custom domain is registered but the site is not published you will see webflow 404 page but be unable to register the domain. In this scenario you will get a false positive hence my advice to update this to edge case.
https://university.webflow.com/lesson/connect-a-custom-domain everybody,can see this vdio~
Hi everyone,
Just manage to takeover several subdomains on the same target (H1 private prgm) and I have a theory explaining some false positive.
I observed a webflow 404 on several subdomains of my target:
- aaa.victim.com
- bbb.victim.com
- ccc.victim.com
Webflow let me add these subdomains on my dummy website but unfortunately, when I visit them, still got webflow 404.
I thought it was false positive.
Several days later, I remember that Webflow allow to mark one of your custom domain "default":
So if the subdomains I discovered are linked to another "default" one, I will only be able to takeover all if I found the "default" subdomain.
I'm on this target since of few month so I manage to quickly found a past webflow subdomain zzz.victim.com (Now unreachable but still in victim.com webflow account). So I added this subdomain on my own webflow account and the magic happened.
So try to see if your target has several subdomains (even old one, no more online) linked to Webflow.
@szd,
Thanks for your detailed explanation.
I just confirmed here, I managed to claim domains in a pentest.
I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.
Apparently, this is a pay2win Subdomain Takeover :p
Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Recently i was able to claim 4 subdomains pointing to webflow service among which three subdomain gave the following error :
If you come across the above look alike subdomain page , then its vulnerable.
Also note that some webflow hosted vulnerable subdomains may result in Error : SSL_PROTOCOL_ERROR , when you visit them , i was able to claim this one too in my webflow account.
Keep in mind: Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Hosting domain is in paid plan of webflow $15/month.
I was able to claim a dangling Webflow subdomain just now; CNAME pointed from
sub.victim.comtoproxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating tosub.victim.comconfirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.Apparently, this is a pay2win Subdomain Takeover :p
hi dude if target.dom.com is showing valid content and its cname is giving 404 can it be taken over???
I just took over a sub-domain with webflow. It works but requires a premium plan ! It's a paid sub-domain takeover ;)
same here still vulnerable if you have a premium account
Yes, Webflow is vulnerable. I did takeover one subdomain using it and published a write-up on this vulnerability
I recently reported a takeover on a program at intigriti using Webflow , but you have to buy a premium inorder to achieve this.
hey guys @PjMpire @saurabhss06 @bunny0417
i have a website, the same error is coming but not on any subdomain, but on the domain itself,
lets say this page on the domain
https://abc.com/careers/junior-software-engineers
https://usabilityhub.com/assets/app_libraries-5eab97030d19c3cfa7406ed6d0067a.js
the same error comes and i have cross checked it is of the webflow only,
so any idea if further exploitation is possible in any way
I don't think its vulnerable or takeorable, Its a custom page.
Any updates on this takeover ???
Is this still possible ???
I'm experiencing enforced requirement for mandatory TXT verification !!
Weblow requires a TXT verification.
hey guys @PjMpire @saurabhss06 @bunny0417 do you have any idea, Is it possible to takeover this anymore? If anyone can confirm, it'll be very helpful to the community.
Thanks in advance.
Any updates on this takeover ???
Is this still possible ???
I'm experiencing enforced requirement for mandatory TXT verification !!
Does it still vulnerable?
hey guys ,
Does it still vulnerable?
You can claim a subdomain but needs TXT verification which means you cannot publish a site so it is useless (takeover not possible).. unless someone finds a "bypass" in the future.
Hi any update on this
Did you find any bypass for this ?
Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm
Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm
???
I just tried doing takeover and i can confirm it is not vulnerable anymore .
All the options it gives to add custom domain asks for txt verification , Thus NOT VULNERABLE
Hi,
It's not vulnerable, I just tried, it will ask for txt verification
following
Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me
Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me
Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me
+1
I am also in search for credentials for testing :|
@KAFILTAFISH21 @usmanzahid123999 Webflow subdomain takeover not possible anymore , read the above comments !