netlify takeover detection

What is the "netlify takeover detection?"

The "netlify takeover detection" module is designed to detect potential takeover vulnerabilities in websites hosted on the Netlify platform. Takeover vulnerabilities occur when an attacker gains control over a subdomain or domain that is no longer in use or misconfigured. This module focuses on identifying instances where the website returns a "Not Found - Request ID:" message in the response body and includes the "Netlify" header in the response. The severity of this vulnerability is classified as high.

This module was authored by 0xPrial and pdteam.

Impact

A successful takeover of a Netlify-hosted website can allow an attacker to gain unauthorized access and potentially manipulate the content or redirect traffic to malicious sites. This can lead to reputational damage, loss of sensitive data, and potential harm to users who interact with the compromised website.

How does the module work?

The "netlify takeover detection" module works by sending HTTP requests to the target website and analyzing the responses based on specific matching conditions. The module checks for the presence of the "Netlify" header in the response, indicating that the website is hosted on the Netlify platform. It also looks for the "Not Found - Request ID:" message in the response body, which suggests a potential misconfiguration or inactive subdomain.

Here is an example of an HTTP request that the module may send:

GET / HTTP/1.1
Host: example.com

The module uses a combination of matching conditions, including the presence of the "Netlify" header and the specific response message, to determine if a potential takeover vulnerability exists. If a match is found, the module will report the vulnerability for further investigation and remediation.