search

Squarespace Subdomain Takeover

TL;DR While enumerating *.target.net I discovered an unclaimed Squarespace-hosted subdomain. The subdomain returned a Squarespace-branded 404 indicating the domain had not been claimed by the tenant. I verified behavior against public resources and existing reports, attempted to claim/verify, and documented steps and lessons for responsible disclosure. although it was closed as N/A i thought it was worth writing about it

hashtag
Background

Subdomain takeover happens when a DNS entry points to a third-party service (Squarespace, GitHub Pages, Heroku, etc.) but the corresponding resource (site) is not claimed on that service. An attacker who claims the resource may host content on that subdomain, which can lead to phishing, malware hosting, or disclosure of sensitive paths.

My target scope: *.target.net

hashtag
Initial discovery & reconnaissance

I enumerated subdomains and probed them using subfinder and httpx:

Find subdomains then probe them with httpx

subfinder -d target.net | httpx -td -sc -title -location

One result stood out:

https://6hgtf6xacpkrbp4w5tda.brandportal.target.net [404] [] [Squarespace - Domain Not Claimed] [Squarespace,Squarespace Commerce]

The title and 404 page suggested the host resolves to Squarespace but the domain had not been claimed by a Squarespace customer β€” a classic indicator of a possible subdomain takeover.

hashtag
Verification of vulnerability

I performed quick verification steps:

  1. Confirmed the Host returned a Squarespace-branded page with wording like Domain Not Claimed or similar β€” this frequently means the DNS points at Squarespace but the account owner hasn't claimed the domain in their Squarespace settings.

  2. Checked public resources for known takeover fingerprints (e.g., can-i-take-over-xyz repo and documented takeover patterns).

  3. Searched for prior similar reports β€” I found a HackerOne report with a similar case (an unclaimed Imgur-hosted subdomain claimed via Squarespace account setup). it documented the same mechanics: create a Squarespace account and add the unclaimed subdomain under Settings β†’ Domains β†’ Use Domain I Own β†’ (enter subdomain). Example report: https://hackerone.com/reports/1527405arrow-up-right

hashtag
Lessons learned

  • Automated recon + probe pipelines (subfinder β†’ httpx) are fast and reveal service fingerprints that point to takeover risk.

  • Even if a public resource (e.g., can-i-take-over-xyz) doesn't list a provider as vulnerable today, manual verification is important because behavior varies by service and account state.

  • Public writeups (HackerOne, GitHub repos) are useful references β€” but always confirm current behavior before acting.

PreviousExposed Docker RegistryNext2FA Secret Remains Obtainable After 2FA is Enabled

Last updated