About the Subdomain Takeover tool
Allows you to discover subdomains of a target organization which point to external services (ex. Amazon S3, Heroku, Github, etc) and are not claimed (thus leaving them vulnerable to takeover).
Subdomain Takeover is a type of vulnerability which appears when a DNS entry (subdomain) of an organization points to an External Service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized. An attacker could register to the External Service and claim the affected subdomain.
As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization's subdomain and use it to attack legitimate users.
- Target domain: this is a domain name (ex. yahoo.com) which will be searched for subdomains vulnerable to takeover
How it works
The tool uses all the techniques from Find Subdomains tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.