Subdomain Takeover

About this tool

Allows you to discover subdomains of a target organization that point to external services (ex. Amazon S3, Heroku, Github, etc) and are not claimed - leaving them vulnerable to a hostile takeover.

Subdomain Takeover is a type of vulnerability that appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized by that organization. An attacker could register to the external service and claim the affected subdomain.

As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization's subdomain and use it to attack legitimate users.

Parameters

• Target domain: This is a domain name (ex. yahoo.com) that will be searched for subdomains vulnerable to takeover.

How it works

The tool uses all the techniques from the Subdomain Finder tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.