Dangling DNS: Worksites.net

Another service vulnerable to subdomain takeover
This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.


Worksites.net is a web service for building websites for contractors and growing businesses, which support custom domains feature.

Service Detection

A record should be pointing to static IP address
worksites.melbadry9.xyz. 60 IN A
I use the following Nuclei template to check for possible candidates.
id: detect-worksites
name: worksites.net service detection
author: melbadry9
severity: info
tags: dns
- name: "{{FQDN}}"
type: A
class: inet
recursion: true
retries: 2
- type: word
- ""

Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.
Vulnerable Subdomain Error Page


To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response; we confirm whether the subdomain is vulnerable or not.
"status_code": 404,
"text": [
"Company Not Found",
"Hello! Sorry, but the website you’re looking for doesn’t exist."
I use the following Nuclei template to check for the vulnerable subdomain.
id: worksites-takeover
name: worksites.net subdomain takeover
author: melbadry9
severity: high
tags: takeover
- method: GET
- "{{BaseURL}}/"
matchers-condition: and
- type: word
- "Company Not Found"
- "Hello! Sorry, but the website you’re looking for doesn’t exist."
condition: and
- type: status
- 404

Takeover Steps

  • Register an account on Worksites.net
  • Go to https://app.worksites.net/website/domain-name
  • Set Your domain name to subdomain we want to takeover worksites.melbadry9.xyz
Takeover Steps
  • Visit worksites.melbadry9.xyz
  • Create a screenshot as PoC. We can publish the site for $27.00 per month.
Takerover by melbadry9 PoC

Can I takeover XYZ? - Issue

I opened an issue on GitHub regarding this service: