id: wordpress-takeover

info:
  name: WordPress takeover detection
  author: pdteam,geeknik
  severity: high
  description: Bigcartel takeover was detected.
  reference:
    - https://github.com/EdOverflow/can-i-take-over-xyz/pull/176
    - https://hackerone.com/reports/274336
  metadata:
    max-request: 1
  tags: takeover,wordpress,hackerone,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - Host != ip

      - type: word
        words:
          - "Do you want to register"
          - ".wordpress.com</em> doesn&#8217;t&nbsp;exist"
        condition: and

      - type: word
        words:
          - "cannot be registered"
        negative: true

    extractors:
      - type: dsl
        dsl:
          - cname
# digest: 4b0a00483046022100e220a42f9ff9b7cd3dafc63a868b2ad63a37bb72cd634317c3ed5bb8af7d08b9022100fe2379f5a580dbfc131648eb2dfe8dd5f5052a331d6bd31471661ae887912eed:922c64590222798bb761d5b6d8e72950