zendesk-takeover: Zendesk Takeover Detection

id: zendesk-takeover

info:
  name: Zendesk Takeover Detection
  author: pdteam
  severity: high
  description: Zendesk takeover was detected.
  reference:
    - https://github.com/EdOverflow/can-i-take-over-xyz/issues/23
    - https://hackerone.com/reports/869605
    - https://hackerone.com/reports/759454
  metadata:
    max-request: 1
  tags: takeover,zendesk,hackerone,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - Host != ip

      - type: word
        words:
          - "this help centre no longer exists"
          - "Help Centre Closed"
        case-insensitive: true
        condition: or

    extractors:
      - type: dsl
        dsl:
          - cname
# digest: 4a0a00473045022100b0abf024d887fcf45f6260b6b61e362d757306d90acebf1e9e8e347bdb45f8990220265b82d8c7757ee930ced3f2259d17d017245f9617a3eefbcaea622ba69117f1:922c64590222798bb761d5b6d8e72950