Key Takeaways
- Subdomain takeover happens when DNS points to unclaimed resources.
- Common targets: S3 buckets, GitHub Pages, Heroku, Azure.
- Can lead to phishing, cookie theft, and reputation damage.
- High-value bug bounty finding—often $500-$5000.
When companies delete cloud resources but forget to remove DNS records, those subdomains become vulnerable. Anyone can claim the orphaned resource and serve content on the company's subdomain.
How It Works
- Company creates
blog.company.com→ points to Heroku app - Company deletes Heroku app, forgets DNS record
- Attacker creates Heroku app with same name
- Attacker now controls
blog.company.com!
Finding Vulnerable Subdomains
# Subdomain enumeration
subfinder -d target.com -o subs.txt
amass enum -d target.com
# Check for takeover indicators
subjack -w subs.txt -t 100 -timeout 30 -o results.txt
# Manual check for specific providers
dig CNAME blog.target.com
# If CNAME points to unregistered resource → vulnerable!Vulnerable Fingerprints
| Provider | Error Message |
|---|---|
| AWS S3 | NoSuchBucket |
| GitHub Pages | There isn't a GitHub Pages site here |
| Heroku | No such app |
| Azure | not found / NXDOMAIN |
| Shopify | Sorry, this shop is currently unavailable |
Essential Tools
- Subfinder: Fast subdomain discovery
- Subjack: Takeover scanner
- Nuclei: With takeover templates
- can-i-take-over-xyz: Updated takeover checklist
Frequently Asked Questions
How do I prove impact for bug bounty?
Take control by creating the resource, then serve a simple TXT file or distinctive page. Never serve malicious content. Screenshot your proof and the DNS records.
Master reconnaissance techniques.
OSINT Guide