Dangling DNS: Worksites.net

Another service vulnerable to subdomain takeover

This post is the write-up about subdomain takeover vulnerable service Worksites that I found back in April 2020. Although this is a paid service, It's possible to create a PoC without having to purchase the service.

Worksites.net

Worksites.net is a web service for building websites for contractors and growing businesses, which support custom domains feature.

Service Detection

A record should be pointing to static IP address 69.164.223.206

worksites.melbadry9.xyz. 60     IN      A       69.164.223.206

I use the following Nuclei template to check for possible candidates.

YAML

id: detect-worksites

info:
  name: worksites.net service detection
  author: melbadry9
  severity: info
  tags: dns

dns:
  - name: "{{FQDN}}"
    type: A
    class: inet
    recursion: true
    retries: 2
    matchers:
      - type: word
        words:
          - "69.164.223.206"

Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.

Vulnerable Subdomain Error Page

Fingerprint

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response; we confirm whether the subdomain is vulnerable or not.

{
    "status_code": 404,
    "text": [
        "Company Not Found",
        "Hello! Sorry, but the website you’re looking for doesn’t exist."
    ]
}

I use the following Nuclei template to check for the vulnerable subdomain.

YAML

id: worksites-takeover

info:
  name: worksites.net subdomain takeover
  author: melbadry9
  severity: high
  tags: takeover

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Company Not Found"
          - "Hello! Sorry, but the website you’re looking for doesn’t exist."
        condition: and
      - type: status
        status:
          - 404

Takeover Steps

• Register an account on Worksites.net

• Go to https://app.worksites.net/website/domain-name

• Set Your domain name to subdomain we want to takeover worksites.melbadry9.xyz

Takeover Steps

• Visit worksites.melbadry9.xyz

• Create a screenshot as PoC. We can publish the site for $27.00 per month.

Takerover by melbadry9 PoC

Can I takeover XYZ? - Issue

I opened an issue on GitHub regarding this service:

Worksites vulnerable to subdomain takeover · Issue #142 · EdOverflow/can-i-take-over-xyzGitHub

About Me