From 7b5070aa5b03e2cf1aeb369c6549b6b618366e43 Mon Sep 17 00:00:00 2001
From: XCapri <43540712+xcapri@users.noreply.github.com>
Date: Fri, 25 Aug 2023 13:45:40 +0700
Subject: [PATCH] Create lemlist-takeover.yaml

subdomain takeover with lemlist
---
 dns/lemlist-takeover.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 dns/lemlist-takeover.yaml

diff --git a/dns/lemlist-takeover.yaml b/dns/lemlist-takeover.yaml
new file mode 100644
index 0000000000..525f926d6a
--- /dev/null
+++ b/dns/lemlist-takeover.yaml
@@ -0,0 +1,27 @@
+id: lemlist-takeover
+
+info:
+  name: Subdomain Takeover Lemlist
+  author: kresec
+  severity: high
+  description: The takeover will succeed when the target domain has a cname that points to the lemlist and in their account they only customize the domain in the tracking column so in the custom page column, as an attacker, they can enter the target domain. 
+  reference: 
+    - https://www.lemlist.com/blog/custom-tracking-domain
+    - https://kresec.medium.com/10k-site-affected-subdomain-takeover-via-lemlist-146cd0f11883
+  tags: dns,takeover,lemlist
+
+http:
+  - method: GET
+    path:
+      - "http://{{Hostname}}"
+    
+    matchers:
+      - type: word
+        part: title
+        words:
+          - "Custom domain check"
+          
+      - type: word
+        part: body
+        words:
+          - "app.lemlist.com"