2 Free Scans

Subdomain Takeover

Discover subdomains which are vulnerable to hostile takeover

Scan Now
Sample Report | Use Cases | Technical Details

Sample Report

Here is a Subdomain Takeover sample report:

  • Includes the subdomains found on the target domain
  • Includes the DNS CNAME records of each subdomain
  • Includes the HTTP response code for each subdomain (port 443)

Download Sample Report

Sample report

Subdomain Takeover - Use Cases

Allows you to discover subdomains of a target organization which point to external services (ex. Amazon S3, Heroku, Github, etc) and are not claimed - leaving them vulnerable to hostile takeover.

Bug Bounty

Subdomain Takeover is a classic well paid vulnerability in Bug Bounty programs. This tool allows you to discover such vulnerabilities and get paid for them.

Review Your DNS Entries

As a system administrator, you can use this tool to perform an external inventary of the existing DNS entries of your organization.

Discover Attack Surface

Since it also discovers the subdomains of the target domain, this tool allows you to have a better view of the attack surface of your target organization.

Technical Details


About

Subdomain Takeover is a type of vulnerability which appears when an organization has configured a DNS CNAME entry for one of its subdomains pointing to an external service (ex. Heroku, Github, Bitbucket, Desk, Squarespace, Shopify, etc) but the service is no longer utilized by that organization. An attacker could register to the external service and claim the affected subdomain.

As a result, the attacker could host malicious code (ex. for stealing HTTP cookies) on the organization's subdomain and use it to attack legitimate users.


Parameters

Parameter Description
Target domain This is a domain name (ex. yahoo.com) which will be searched for subdomains vulnerable to takeover.


How it works

The tool uses all the techniques from Find Subdomains tool to identify existing subdomains for the target domain. Then it searches for CNAME DNS entries pointing to external services and it tries to visit the web pages at those locations. If the pages contain some specific keywords (depending on the external service), the subdomain is declared as vulnerable.