This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.
Worksites.net
Worksites.net is a web service for building websites for contractors and growing businesses, which support custom domains feature.
Service Detection
A record should be pointing to static IP address 69.164.223.206
worksites.melbadry9.xyz. 60 IN A 69.164.223.206
I use the following Nuclei template to check for possible candidates.
YAML
id: detect-worksites
info:
name: worksites.net service detection
author: melbadry9
severity: info
tags: dns
dns:
-name:"{{FQDN}}"
type: A
class: inet
recursion:true
retries:2
matchers:
-type: word
words:
-"69.164.223.206"
Takeover Detection
We should see a similar error page to verify whether the subdomain takeover may be possible.
Vulnerable Subdomain Error Page
Fingerprint
To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response; we confirm whether the subdomain is vulnerable or not.
{
"status_code":404,
"text":[
"Company Not Found",
"Hello! Sorry, but the website you’re looking for doesn’t exist."
]
}
I use the following Nuclei template to check for the vulnerable subdomain.
YAML
id: worksites-takeover
info:
name: worksites.net subdomain takeover
author: melbadry9
severity: high
tags: takeover
requests:
-method: GET
path:
-"{{BaseURL}}/"
matchers-condition: and
matchers:
-type: word
words:
-"Company Not Found"
-"Hello! Sorry, but the website you’re looking for doesn’t exist."