Subdomain Takeover

Character with goggles that can see vulnerabilities

Unlock full capabilities

There's so much you can do with this tool!
Plus, access to it means full access to all 20+ tools on the platform.

Discover subdomains vulnerable to hostile takeover.

Create account


Sample Subdomain Takeover report

Here is a sample report from our Subdomain Takeover that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Includes the subdomains found on the target domain

  • Includes the DNS CNAME records of each subdomain

  • Includes the HTTP response code for each subdomain (port 443)

Subdomain Takeover Report Sample

How to use the pentesting tool

Use Cases for Subdomain Takeover

Allows you to discover subdomains of a target organization that point to external services (e.g. Amazon S3, Heroku, Github, etc.) and are not claimed - leaving them vulnerable to a hostile takeover.

  • Speed Up Bug Bounty Hunting

    Spend a fraction of the time on Subdomain Takeover and reap the rewards faster. This is a classic, well paid vulnerability in Bug Bounty programs.

  • Review Your DNS Entries

    As a system administrator, you can use this tool to perform an external inventory of your organization’s existing DNS entries.

  • Map Your Attack Surface

    Because the tool also discovers a target’s subdomains, each scan automatically adds findings to the attack surface of the organization.

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting. Subdomain Takeover Sample Report

Subdomain Takeover

Technical details

Subdomain Takeover is a type of vulnerability that appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (e.g. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc.) but no longer uses that service. This enables an attacker to register to the external service and claim the affected subdomain.

As a result, the attacker could host malicious code (e.g. for stealing HTTP cookies) on the organization's subdomain and use it to attack legitimate users.


Target domainThis is a domain name (e.g. whose subdomains vulnerable to takeover the tool will search for.

How it works

The tool uses all the techniques from Subdomain Finder to identify existing subdomains for the target domain. It then searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared vulnerable.