Subdomain Takeover using Webflow Service
Hello Hackers! 👋
It’s been a while since my last write-up, but I finally decided to shake off my laziness and share one of my recent findings with you all. This little adventure cost me around $18, and unfortunately, it didn’t yield any results. Nevertheless, let’s dive right in and learn something new together! 💪
If you’re new to bug bounty programs or need a refresher on subdomain takeover, check out the write-up by my friend Aishwarya Kendle for a solid introduction. It’s a great starting point! 😉
How We Hijacked 26+ Subdomains
My friend @Aishwarya Kendle covered all the basic concepts of subdomain takeover and many more…
Now remaining hacker without wasting time let's dig in...
While searching for a Bug bounty program using Dork & I found a program.
Ok now I am not able to disclose its name but for now, consider it takeover.cz .
Step 1: Using the power of Dorks, I stumbled upon an interesting program. For now, let’s call it takeover.cz (I can’t disclose the actual name). To enumerate its subdomains, I fired up assetfinder. If you’re on Windows, you can use virustotal.com for this purpose. 🕵️♀️🔍
Step 2: Armed with a list of subdomains, I manually visited each one. Some hackers rely solely on automated scripts to check for vulnerabilities, but I prefer a hands-on approach. Scripts may miss certain things, and I don’t want to overlook any opportunities. So, I recommend using a combination of both methods. 🖥️🔎
Steps 3: Among the subdomains, I discovered blog.takeover.cz, which looked promising. Take a look at this screenshot. If the webpage matches, let’s proceed to the next step. Otherwise, move on to the next subdomain. 📷🔍
Now, there’s a common misconception that webflow services are immune to takeovers. But guess what? It’s just a misconception! Let’s prove it. 😉
Step 4: I checked the CNAME record of blog.takeover.cz. In Linux, simply open the terminal and type “dig blog.takeover.cz” to reveal the CNAME, which should be proxy-ssl.webflow.com. Windows users can utilize the Google toolkit to accomplish the same. 🖥️🔍
Step 5: Here comes the fun part! To proceed with the takeover using webflow, you need to sign up for their Basic plan, which costs $18 per month. So, grab your credit card and get ready. There’s no other way around it. 💳💻
Step 6: Once signed up, you’ll be greeted with a beautiful dashboard that looks something like this:
If it doesn’t match, no worries! Just create a new workspace, and you’re good to go. 🎨✨
Step 7: Click on “New Site” and choose your desired template from the wide selection available. Let your creativity flow! 🎨💡
Step 8: Design your webpage using the intuitive tools provided by webflow. Once you’re satisfied with your masterpiece, click on “Publish” and then “Add Custom Domain.” 🖌️🚀
Step 9: You’ll be redirected to the workspace settings page. Head over to the “Publishing” section and click on “Add Domain.” ✨📡
Step 10: Here’s the final touch! Add “blog.takeover.cz” as the custom domain. Now, navigate back to the designer page, click on “Publish,” uncheck the “.io” site of webflow, and publish your site on the added domain
Once the publication is complete, go ahead and refresh your subdomain. 🔄💥
