Dangling DNS: Worksites.net
This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.
Worksites.net is a web service for building websites for contractors and growing business, which support custom domains feature.
A record should be pointing to static IP address 69.164.223.206
worksites.melbadry9.xyz. 60 IN A 69.164.223.206
I use the following Nuclei template to check for possible candidates.
id: detect-worksitesinfo:name: worksites.net service detectionauthor: melbadry9severity: infotags: dnsdns:- name: "{{FQDN}}"type: Aclass: inetrecursion: trueretries: 2matchers:- type: wordwords:- "69.164.223.206"
To verify whether subdomain takeover may be possible we should see a similar error page.
To detect vulnerable subdomain we use the following fingerprint based on HTTP response we confirm whether subdomain is vulnerable or not.
{"status_code": 404,"text": ["Company Not Found","Hello! Sorry, but the website you’re looking for doesn’t exist."]}
I use the following Nuclei template to check for vulnerable subdomain.
id: worksites-takeoverinfo:name: worksites.net subdomain takeoverauthor: melbadry9severity: hightags: takeoverrequests:- method: GETpath:- "{{BaseURL}}/"matchers-condition: andmatchers:- type: wordwords:- "Company Not Found"- "Hello! Sorry, but the website you’re looking for doesn’t exist."condition: and- type: statusstatus:- 404
Register an account on Worksites.net
Go to
https://app.worksites.net/website/domain-nameSet
Your domain nameto subdomain we want to takeoverworksites.melbadry9.xyz
Visit
worksites.melbadry9.xyzCreate screenshot as PoC, we can publish site for $27.00 per month
I have opened an issue on GitHub regarding this service:
