Subdomain Takeover

Subdomain Takeover occurs when a subdomain points to a third-party service that has been removed or unclaimed. Attackers can register the service and serve malicious content on the victim's subdomain, potentially stealing cookies, conducting phishing, or bypassing security controls.

How It Works

Organizations often create DNS records pointing subdomains to cloud services (S3, Heroku, GitHub Pages, Azure). When the service is deleted but the DNS record remains, attackers can claim the same service endpoint and control the subdomain.

Vulnerable Configuration

# DNS record exists
blog.company.com CNAME company-blog.herokuapp.com

# But Heroku app was deleted
# Attacker creates new Heroku app: company-blog.herokuapp.com
# Now controls blog.company.com!

Commonly Vulnerable Services

• AWS S3: Bucket deleted but CNAME remains
• Heroku: App deleted, subdomain claimable
• GitHub Pages: Repo deleted or CNAME unconfigured
• Azure: CloudApp, Blob Storage, Web Apps
• Shopify: Store removed but DNS points to Shopify
• Fastly/CloudFront: Distribution deleted
• Zendesk/Freshdesk: Support portal deprovisioned

Detection Signatures

# AWS S3
NoSuchBucket: The specified bucket does not exist

# Heroku
No such app

# GitHub Pages
There isn't a GitHub Pages site here

# Azure
NXDOMAIN or "App not found"

# Shopify
Sorry, this shop is currently unavailable

Attack Impact

• Cookie theft: Serve malicious JavaScript, steal session cookies (if cookie domain includes subdomain)
• Phishing: Legitimate-looking subdomain for credential harvesting
• CSP bypass: If subdomain is allowlisted in Content-Security-Policy
• OAuth bypass: If subdomain is authorized redirect URI
• Email spoofing: May affect SPF/DKIM if used for email
• Reputation damage: Malware/adult content on company subdomain

Detection Methods

# Check for dangling CNAME
dig subdomain.target.com CNAME

# Enumerate subdomains
subfinder -d target.com
amass enum -d target.com

# Check for takeover fingerprints
nuclei -t takeovers -u subdomain.target.com
subjack -w subdomains.txt -t 100 -timeout 30

Prevention

• Remove DNS records when deprovisioning services
• Regular audits: Scan subdomains for takeover vulnerabilities
• DNS inventory: Maintain documented list of all DNS records and their purposes
• Monitoring: Alert on DNS records pointing to uncontrolled destinations
• Cookie scoping: Avoid setting cookies on parent domain when possible

Tools

• subjack - Subdomain takeover scanner
• nuclei - With takeover templates
• can-i-take-over-xyz - Service fingerprint database

See Also

• Subdomain Enumeration
• DNS Rebinding