Overview
The Subdomain Takeover scanner discovers subdomains pointing to unclaimed cloud resources that attackers could claim to serve malicious content from your domain. It combines subdomain discovery with takeover vulnerability detection.
The Subdomain Takeover scanner is an offensive tool: it identifies exploitable misconfigurations in DNS records. It does not add data to your Attack Surface and does not generate findings. Results are displayed as a report listing vulnerable and safe subdomains.
Supported targets
| Target type | Examples |
|---|
| Domain | example.com, corp.example.org |
Provide a domain name with a valid TLD. The tool will automatically discover subdomains and test each one for takeover vulnerabilities.
What is subdomain takeover?
Subdomain takeover occurs when:
- A subdomain has a DNS CNAME pointing to an external service (e.g., Heroku, GitHub Pages, AWS S3)
- The organization stops using the service and deletes the resource
- The DNS record remains, pointing to an unclaimed resource
- An attacker registers on the service and claims the abandoned resource
- The attacker now controls content served from your subdomain
How it works
The scanner performs two phases:
Phase 1: Subdomain discovery
Uses the same techniques as Subdomain Finder to enumerate subdomains:
| Technique | Description |
|---|
| DNS Enumeration | Brute-force common subdomain names using wordlists |
| Certificate Transparency | Query CT logs for issued certificates |
| External APIs | Query third-party subdomain databases |
| Search Engines | Extract subdomains from Bing and Google results |
| SSL Certificates | Analyze certificate SANs for subdomain names |
| Website Crawling | Extract subdomains from HTML links |
| Smart DNS Search | Generate subdomain variations and permutations |
| Zone Transfer | Attempt AXFR to retrieve full DNS zone |
Phase 2: Takeover detection
For each discovered subdomain:
- DNS resolution: Resolve the subdomain to get IP address
- CNAME lookup: Check if subdomain has a CNAME pointing to an external service
- Port scanning: Scan ports 80, 8080, 443, 8443 for web services
- Response analysis: Make HTTP requests and check for provider-specific error messages
- Vulnerability determination: Mark as vulnerable if error matches a known takeover pattern
Supported providers
The scanner detects takeover vulnerabilities for these services:
| Provider | Error indicator |
|---|
| GitHub Pages | ”There isn’t a GitHub Pages site here” |
| Heroku | ”No such app” |
| Shopify | ”Sorry, this shop is currently unavailable” |
| Fastly | ”Fastly error: unknown domain” |
| Tumblr | ”Whatever you were looking for doesn’t currently exist at this address” |
| Ghost | ”The thing you were looking for is no longer here, or never was” |
| BitBucket | ”Repository not found” |
| Surge.sh | ”project not found” |
| WordPress.com | ”Do you want to register *.wordpress.com?” |
| UserVoice | ”This UserVoice subdomain is currently available!” |
| Help Scout | ”No settings were found for this company” |
| Help Juice | ”We could not find what you’re looking for” |
| Readme.io | ”Project doesnt exist… yet!” |
| Jetbrains | ”is not a registered InCloud YouTrack” |
| Tilda | ”Please renew your subscription” |
The scanner checks for specific error messages that indicate the cloud resource is unclaimed and available for takeover.
Subdomain takeover can enable cookie theft across your entire domain if cookies are set without the __Host- prefix or explicit domain restrictions.
- Remove dangling DNS records: Delete CNAME or A records pointing to unclaimed resources
- Reclaim the resource: If still needed, recreate the resource on the cloud provider
- Audit DNS regularly: Review DNS records when decommissioning services
- Monitor for changes: Set up alerts for DNS record modifications
- Use subdomain inventory: Maintain a list of active subdomains and their purposes
Before deleting a cloud resource, always remove the corresponding DNS record first. This prevents the window of vulnerability between resource deletion and DNS cleanup.
Follow-up actions
After identifying vulnerable subdomains:
- Remediate immediately: Subdomain takeover vulnerabilities are easily exploitable
- Check cookie scope: Review if any cookies could be accessed from the vulnerable subdomain
- Audit all DNS: Review complete DNS configuration for similar issues
- Run Subdomain Finder: Comprehensive subdomain enumeration
- Check related domains: Use Domain Finder to find other domains to test
- Schedule regular scans: Set up Scheduled scans to detect new vulnerabilities
