Webflow subdomain takeover is false positive

[raytheon0x21]

Webflow subdomain takeover is false positive

Nuclei Version: v3.1.3

Template file

nuclei-templates/http/takeovers/webflow-takeover.yaml

Command line

cat hostname.txt | nuclei -t ../../nuclei-templates/http/takeovers/webflow-takeover.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.3

        projectdiscovery.io

[INF] Current nuclei version: v3.1.3 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 73
[webflow-takeover] [http] [high] https://sub.example.com
[webflow-takeover] [http] [high] https://sub.example.com

Image result false positive subdomain takeover Webflow (requires a TXT verification).

Please fix thanks !!!

[ritikchaddha]

Hello there, @lazysec0x21. Thank you for raising the issue, however, could you perhaps share the debug data so that we can investigate and determine which matcher is causing the false-positive result?

[raytheon0x21]

Hi team, this data debug webflow template

echo "https://sub.example.com" | nuclei -t nuclei-templates/http/takeovers/webflow-takeover.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.3

        projectdiscovery.io

[INF] Current nuclei version: v3.1.3 (latest)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] [webflow-takeover] Dumped HTTP request for https://sub.example.com

GET / HTTP/1.1
Host: sub.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [webflow-takeover] Dumped HTTP response https://sub.example.com

HTTP/1.1 404 Not Found
Connection: close
Transfer-Encoding: chunked
Accept-Ranges: bytes
Cache-Control: private
Content-Type: text/html
Date: Fri, 29 Dec 2023 10:25:42 GMT
Etag: W/"6580a58e-38c"
Vary: x-wf-forwarded-proto, Accept-Encoding
X-Cache: MISS
X-Cache-Hits: 0
X-Cluster-Name: ap-southeast-2-prod-hosting-red
X-Served-By: cache-syd10160-SYD
X-Timer: S1703845542.960087,VS0,VE932

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <title>404 - Page not found</title>
    <meta content="The page you are looking for doesn&#x27;t exist or has been moved." name="description">
    <meta content="width=device-width, initial-scale=1" name="viewport">

    <link href="https://d3e54v103j8qbb.cloudfront.net/css/webflow-https-errors.webflow.css" rel="stylesheet" type="text/css">

    <link href="https://d3e54v103j8qbb.cloudfront.net/static/designer_favicon.5ea478d03e.png" rel="shortcut icon" type="image/x-icon">
</head>

<body>
<div class="utility-wrapper">
    <div class="utility-container">
        <div class="text-mono">404</div>
        <div class="utility-content">
            <h1>Page not found<br></h1>
            <p>The page you are looking for doesn&#x27;t exist or has been moved.</p>
        </div>
        <div></div>
    </div>
</div>
</body>

</html>
[webflow-takeover:dsl-1] [http] [high] https://sub.example.com
[webflow-takeover:word-2] [http] [high] https://sub.example.com

thanks :)