2023-08-25 06:45:40 +00:00
id : lemlist-takeover
info :
2023-08-25 08:43:40 +00:00
name : Lemlist - Subdomain Takeover Detection
2023-08-25 06:45:40 +00:00
author : kresec
severity : high
2023-08-25 08:43:40 +00:00
description : |
The takeover will succeed when the target domain has a cname that points to the lemlist and in their account they only customize the domain in the tracking column so in the custom page column, as an attacker, they can enter the target domain.
reference :
2023-08-25 06:45:40 +00:00
- https://www.lemlist.com/blog/custom-tracking-domain
- https://kresec.medium.com/10k-site-affected-subdomain-takeover-via-lemlist-146cd0f11883
2023-08-25 11:15:35 +00:00
metadata :
max-request : 1
2023-08-25 06:45:40 +00:00
tags : dns,takeover,lemlist
http :
- method : GET
path :
2023-08-25 08:43:40 +00:00
- "{{BaseURL}}"
2023-08-25 11:09:23 +00:00
2023-08-25 08:43:40 +00:00
matchers-condition : and
2023-08-25 06:45:40 +00:00
matchers :
2023-08-25 08:43:40 +00:00
- type : dsl
dsl :
- Host != ip
2023-08-25 06:45:40 +00:00
- type : word
words :
- "Custom domain check"
- "app.lemlist.com"
2023-08-25 08:43:40 +00:00
condition : and
2024-07-10 11:31:30 +00:00
2024-07-08 12:16:52 +00:00
extractors :
- type : dsl
dsl :
2024-07-17 14:38:10 +00:00
- cname
2024-07-17 14:40:22 +00:00
# digest: 4b0a0048304602210087cff5b29fe3d2e7e6d3cf00af41334b7de1a4f9ef76ad9af08f1d6d700b9916022100a51b24c27a3f0a1fc72af5d426dc099546d39eb6f6b217310113c9027b216076:922c64590222798bb761d5b6d8e72950