id: lemlist-takeover info: name: Lemlist - Subdomain Takeover Detection author: kresec severity: high description: | The takeover will succeed when the target domain has a cname that points to the lemlist and in their account they only customize the domain in the tracking column so in the custom page column, as an attacker, they can enter the target domain. reference: - https://www.lemlist.com/blog/custom-tracking-domain - https://kresec.medium.com/10k-site-affected-subdomain-takeover-via-lemlist-146cd0f11883 metadata: max-request: 1 tags: dns,takeover,lemlist http: - method: GET path: - "{{BaseURL}}" matchers-condition: and matchers: - type: dsl dsl: - Host != ip - type: word words: - "Custom domain check" - "app.lemlist.com" condition: and # digest: 4b0a0048304602210099908eacc7046289b5a30398972ec745cf09ab068ece8b8538ba44ddb5dd35a7022100d072f3859b82c4cda35df540e8a0fa3f30480d8d0a26634ee55eb5fb2c9d71fe:922c64590222798bb761d5b6d8e72950