Bug Bounty / ctf-tools / How to hack / Networking / Payloads

The Ultimate Guide to Finding Subdomain Takeover Vulnerabilities (Step-by-Step + Payloads & Tools)

spyboy's avatarPosted by

What is Subdomain Takeover?

A Subdomain Takeover happens when a subdomain (like blog.example.com) points to an external service (e.g., GitHub Pages, Heroku, AWS S3, etc.) but that external resource is no longer in use, leaving it open for an attacker to claim and serve malicious content.

For example:

blog.example.com → CNAME → username.github.io

If username.github.io doesn’t exist anymore, an attacker can create that GitHub repo, take over the subdomain, and host malicious code under your domain name.

🧨 Real-World Impact

  • 🧪 Host phishing pages under a legitimate domain
  • 🚨 Bypass security protections (CORS, CSRF, SPF, etc.)
  • 🕳 Exploit trust in emails, cookies, and security headers
  • 📈 Escalate to stored XSS, RCE, SSRF if used with other flaws

🎯 Step-by-Step Guide to Find Subdomain Takeover

This is the guaranteed method to find takeover opportunities across large scopes (including wildcard scopes like *.example.com).

⚙️ Step 1: Subdomain Enumeration

Start by gathering all subdomains for the target domain.

✅ Tools:

  • Subfindersubfinder -d example.com -o subdomains.txt
  • Amassamass enum -passive -d example.com
  • Assetfinderassetfinder --subs-only example.com
  • crt.sh or SecurityTrails

🔥 Tip: Combine tools for a master list:

cat subdomains*.txt | sort -u > all_subdomains.txt

🛰️ Step 2: DNS Resolution Check

Check which subdomains are unresolved (NXDOMAIN). These are your top targets.

✅ Tools:

  • dnsxdnsx -l all_subdomains.txt -silent -a -resp -o resolved.txt
  • MassDNS for large-scale resolution

You’re looking for subdomains that exist in DNS, but don’t resolve in the browser.

Example:

blog.example.com → NXDOMAIN

🔍 Step 3: Look for CNAME Mappings

Check if unresolved subdomains are pointing to external services via CNAME records.

✅ Tools:

  • digdig blog.example.com CNAME +short
  • dnsx with -cnamednsx -l all_subdomains.txt -cname -o cname_records.txt

Look for subdomains that point to:

*.github.io
*.herokuapp.com
*.s3.amazonaws.com
*.cloudfront.net
*.azurewebsites.net

If the CNAME target doesn’t exist, this is a prime candidate for takeover.

⚠️ Step 4: Match with Known Vulnerable Services

Cross-reference CNAMEs against a Subdomain Takeover Fingerprint List.

🎯 Popular Vulnerable Services:

  • GitHub Pages (*.github.io)
  • GitLab Pages
  • AWS S3
  • Heroku
  • Shopify (if plan inactive)
  • Azure Blob
  • Tumblr
  • Bitbucket
  • Fastly / Cloudfront
  • Cargo
  • HelpScout
  • Desk
  • Zendesk
  • Tilda
  • Intercom
  • Shopify CDN
  • Unbounce
  • and many more…

✅ Tools:

  • can-i-take-over-xyz – community-maintained service fingerprint list

🧪 Step 5: Confirm the Vulnerability

Visit the subdomain in your browser or use curl. If you see errors like:

  • No such bucket
  • Repository not found
  • This page is not available
  • There's nothing here, yet.
  • Project doesn't exist
  • Heroku | No such app
  • 404 Not Found (CloudFront)

✅ It’s vulnerable.

🧨 Top Payloads / Actions

These aren’t “payloads” in the traditional sense, but actions to exploit the issue once confirmed.

📌 GitHub Pages

# Create a new repo named: blog
# Enable GitHub Pages in settings
# Push index.html with deface message

📌 Heroku

heroku create blog-example123
# App gets mapped to blog.example.com (if CNAME still points there)

📌 AWS S3

aws s3 mb s3://bucketname --region us-east-1
aws s3 website s3://bucketname/ --index-document index.html

🛠 Best Tools for Subdomain Takeover

ToolPurpose

Subfinder / AmassSubdomain enumeration

dnsx / MassDNSDNS resolution + CNAME lookup

tko-subsAutomated subdomain takeover scanner

subjackFingerprint and scan for takeovers

takeover (by @m4ll0k)Another fingerprint-based tool

nucleiTemplate-based scanning (can use CNAME)

can-i-take-over-xyzReference repo for service fingerprints

httpxCheck response status/content

🔁 Automation Example

Here’s a one-liner automation combo:

subfinder -d example.com | dnsx -cname -resp | grep -i 'github.io\|herokuapp\|s3' | tee targets.txt
subjack -w targets.txt -t 50 -timeout 30 -ssl -c fingerprints.json -v

🚨 Reporting Tips (Bug Bounty / VDP)

When submitting a report:

  • Include DNS resolution proof (dig, dnsx output)
  • Screenshot of browser message or error
  • CNAME chain and exact vulnerable service
  • Optional: Controlled proof of concept (host harmless content)
  • Never weaponize (phish, deface, host malware)

🔐 How to Prevent Subdomain Takeovers (for Devs)

  1. Remove DNS entries for unused services
  2. Monitor DNS records with tools like SecurityTrails, dnsmonitor
  3. Avoid dangling CNAMEs
  4. Use wildcard catch-all redirects cautiously
  5. Use tools like PSI, HackerOne Assets, or internal asset managers

🏁 Final Thoughts

Subdomain Takeovers are low-hanging fruit that can lead to severe security issues. The most successful hunters are those who combine:

  • Recon automation
  • Service knowledge
  • Patience and persistence

If you follow the method in this blog post, you will 100% find subdomain takeover vulnerabilities, especially on large scopes like:

  • *.company.com
  • *.prod.company.com
  • *.old-domain.net

One comment

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.