Subdomain Takeover through Webflow

Question

Subdomain Takeover through Webflow

Avileox opened this issue 6 years ago · 40 comments

Service name
webflow

Report
https://hackerone.com/reports/399165

Subdomain takeover through webflow is possible but for creating POC you need a paid account because webflow need a paid account for creating subdomains and using web hosting through webflow.

Answer 1 · 2019-05-16T16:31:20.000Z

This is not vulnerable. I just tried it on an endpoint that was hosted on Webflow and had 404 on both HTTP and HTTPS.

Answer 2 · 2019-05-16T16:34:53.000Z

Thank you for the update, can you please show the initial screenshot of "404" page

Answer 3 · 2019-05-16T19:46:00.000Z

0xc0ffeee commented 6 years ago

👍1

Answer 4 · 2019-05-17T12:34:36.000Z

I can confirm that it is not vulnerable anymore,
Thanks for keeping us updated.

Answer 5 · 2019-09-02T04:13:35.000Z

Webflow sites are still vulnerable to takeover so you may want to change this

Just had a report triaged to confirm.

regards

Answer 6 · 2019-09-02T04:19:42.000Z

Can you please share steps to takeover subdomain through webflow.

Answer 7 · 2019-09-02T04:24:49.000Z

-Create webflow account and upgrade to basic paid option
-Create blank site
-Go to project settings > hosting
-Scroll down to custom domains section and add vulnerable domain

-Signature of takeover is webflow 404 same as OP.

Takeover is not possible when owner parked the custom domain but not published the site. This scenario would still produce a webflow 404 therefore can be marked as edge case.

Regards

Answer 8 · 2019-09-02T04:40:59.000Z

Thank you for the update.

Answer 9 · 2019-09-02T16:08:42.000Z

Interesting. I had a "404 Not Found" response on a webflow website but I was still not able to complete the takeover.

I would receive the following error: "That domain is already connected to a Webflow site."

Mind sharing more information without disclosing the target? @PjMpire

Answer 10 · 2019-09-03T20:59:52.000Z

@0xc0ffeee If the custom domain is registered but the site is not published you will see webflow 404 page but be unable to register the domain. In this scenario you will get a false positive hence my advice to update this to edge case.

Answer 11 · 2021-04-14T11:27:20.000Z

Hey everyone, is Webflow subdomain takeover still possible? Thanks.
@PjMpire @Avileox

Answer 12 · 2021-07-23T08:10:13.000Z

https://university.webflow.com/lesson/connect-a-custom-domain everybody,can see this vdio~

Answer 13 · 2021-11-19T13:17:27.000Z

Hi everyone,

Just manage to takeover several subdomains on the same target (H1 private prgm) and I have a theory explaining some false positive.

I observed a webflow 404 on several subdomains of my target:

aaa.victim.com
bbb.victim.com
ccc.victim.com

Webflow let me add these subdomains on my dummy website but unfortunately, when I visit them, still got webflow 404.

I thought it was false positive.

Several days later, I remember that Webflow allow to mark one of your custom domain "default":

So if the subdomains I discovered are linked to another "default" one, I will only be able to takeover all if I found the "default" subdomain.

I'm on this target since of few month so I manage to quickly found a past webflow subdomain zzz.victim.com (Now unreachable but still in victim.com webflow account). So I added this subdomain on my own webflow account and the magic happened.

So try to see if your target has several subdomains (even old one, no more online) linked to Webflow.

Answer 14 · 2021-11-25T20:25:36.000Z

@szd,

Thanks for your detailed explanation.

Answer 15 · 2021-12-21T06:20:31.000Z

I just confirmed here, I managed to claim domains in a pentest.

Answer 16 · 2022-03-18T16:20:47.000Z

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

Answer 17 · 2022-05-19T11:37:47.000Z

Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.

Recently i was able to claim 4 subdomains pointing to webflow service among which three subdomain gave the following error :

If you come across the above look alike subdomain page , then its vulnerable.

Also note that some webflow hosted vulnerable subdomains may result in Error : SSL_PROTOCOL_ERROR , when you visit them , i was able to claim this one too in my webflow account.

Keep in mind: Webflow subdomains is vulnerable to takeover only if the particular subdomain is not connected with any other webflow account.
Hosting domain is in paid plan of webflow $15/month.

Answer 18 · 2022-05-19T11:38:11.000Z

<p title=” </noscript> <style onload= alert(document.domain)//"> *{/*all*/color/*all*/:/*all*/#f78fb3/*all*/;} </style> .qmbox .qmbox .qmbox *{color:#f78fb3;}

Answer 19 · 2022-09-08T14:06:10.000Z

I was able to claim a dangling Webflow subdomain just now; CNAME pointed from sub.victim.com to proxy-ssl.webflow.com. I've added the subdomain to my existing paid Webflow account, set it to Default and published content. Navigating to sub.victim.com confirms that my content is placed on the subdomain. It does not work if you set up a new project with Starter functionality; it will tell you that the domain is already in use.

Apparently, this is a pay2win Subdomain Takeover :p

hi dude if target.dom.com is showing valid content and its cname is giving 404 can it be taken over???

Answer 20 · 2022-10-01T06:33:35.000Z

I just took over a sub-domain with webflow. It works but requires a premium plan ! It's a paid sub-domain takeover ;)

Answer 21 · 2023-04-29T11:56:25.000Z

same here still vulnerable if you have a premium account

Answer 22 · 2023-06-02T10:15:20.000Z

Yes, Webflow is vulnerable. I did takeover one subdomain using it and published a write-up on this vulnerability

Answer 23 · 2023-07-06T19:42:27.000Z

I recently reported a takeover on a program at intigriti using Webflow , but you have to buy a premium inorder to achieve this.

Answer 24 · 2023-07-26T21:08:27.000Z

hey guys @PjMpire @saurabhss06 @bunny0417
i have a website, the same error is coming but not on any subdomain, but on the domain itself,

lets say this page on the domain
https://abc.com/careers/junior-software-engineers
https://usabilityhub.com/assets/app_libraries-5eab97030d19c3cfa7406ed6d0067a.js

the same error comes and i have cross checked it is of the webflow only,
so any idea if further exploitation is possible in any way

Answer 25 · 2023-07-27T08:07:00.000Z

I don't think its vulnerable or takeorable, Its a custom page.

Answer 26 · 2023-10-09T19:34:43.000Z

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

Answer 27 · 2023-10-12T19:03:43.000Z

Weblow requires a TXT verification.

Answer 28 · 2023-10-31T09:27:35.000Z

hey guys @PjMpire @saurabhss06 @bunny0417 do you have any idea, Is it possible to takeover this anymore? If anyone can confirm, it'll be very helpful to the community.

Thanks in advance.

Answer 29 · 2023-11-19T13:39:41.000Z

Any updates on this takeover ???

Is this still possible ???

I'm experiencing enforced requirement for mandatory TXT verification !!

Does it still vulnerable?

Answer 30 · 2024-01-06T03:32:27.000Z

hey guys ,
Does it still vulnerable?

Answer 31 · 2024-01-17T08:45:30.000Z

You can claim a subdomain but needs TXT verification which means you cannot publish a site so it is useless (takeover not possible).. unless someone finds a "bypass" in the future.

Answer 32 · 2024-02-18T18:24:30.000Z

Hi any update on this
Did you find any bypass for this ?

Answer 33 · 2024-03-20T10:59:24.000Z

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

Answer 34 · 2024-03-29T09:07:16.000Z

Hi guys is this still edge case or it is not vulnerable anymore can anyone confirm

???

Answer 35 · 2024-04-09T16:58:46.000Z

I just tried doing takeover and i can confirm it is not vulnerable anymore .

All the options it gives to add custom domain asks for txt verification , Thus NOT VULNERABLE

Answer 36 · 2024-04-18T04:19:59.000Z

Hi,

It's not vulnerable, I just tried, it will ask for txt verification

Answer 37 · 2024-06-29T15:40:25.000Z

following

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

Answer 38 · 2024-06-29T15:40:48.000Z

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

Answer 39 · 2024-07-22T14:04:45.000Z

Hey buddy please help me it's my first time to check takeover could i get webflow credentials to just check custom domain is adding or not can any body help me

+1

I am also in search for credentials for testing :|

Answer 40 · 2024-07-22T14:28:36.000Z

@KAFILTAFISH21 @usmanzahid123999 Webflow subdomain takeover not possible anymore , read the above comments !