Subdomain Takeover

What is subdomain?

A domain name typically has two parts: The top-level domain (TLD) is the extension, such as .com or .org, and the second-level domain (SLD) is the unique part of the domain name, often a business or brand name. In the “com” is the TLD and “example” is the SLD.

The subdomain is what goes before the SLD. The most common subdomain is www, which stands for World Wide Web. This subdomain contains a website’s homepage and its most important pages. The www subdomain is so widely used that most domain registrars include it with domain name purchases.

Subdomains are also commonly used to separate a section of a website from the main site. For example, and direct to our blog and online store respectively.

When we group our domain name and subdomain with a protocol at the beginning (HTTP or HTTPS for websites) and an optional file path at the end, we have a complete URL:

Introduction to subdomain takeovers

Subdomain takeover is a process of registering an existing domain name to gain control over the domain. Subdomain takeover vulnerabilities occur when a subdomain ( is pointing to a service (e.g., Shopify, GitHub pages, Heroku, etc.) that has been removed or deleted or never registered from the service. but the DNS entry is kept. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain.

For example, if was pointing to a GitHub page and the user decided to delete their GitHub page from Github but didn’t deleted the DNS entry.

Now an attacker can create a GitHub page, add a CNAME file containing, and claim

The most common scenario of this process follows:

  1. The domain name (e.g., uses a CNAME record to another domain (e.g., CNAME
  2. At some point in time, expires and is available for registration by anyone.
  3. Since the CNAME record is not deleted from the DNS zone, anyone who registers has full control over until the DNS record is present.

The implications of the subdomain takeover can be pretty significant. Using a subdomain takeover, attackers can do phishing from the legitimate domain, perform cross-site scripting (XSS), or damage the reputation of the brand which is associated with the domain.

Methods to find Subdomain Takeover:

1. Enumerate all the subdomains using subfiner, asset finder, amass, findomain. Puredns, dnsx, Sublist3r, etc.

2. Combine all the found using the above tools in a text file i.e., subdomains.txt.

3. Find live subdomains using httprobe or Httpx from the list of all subdomains and save them in a text file i.e., livesubdomains.txt.

4. Then use the Nuclei template of subdomain takeover by project discovery to find the vulnerable domains using the below command: -

CMD: nuclei –l livesubdomains.txt -t /nuclei-templates-directory/subdomain-takeover -v -o output.txt

5. That’s all it will find the possible vulnerable websites if any.

6. Now, find the CNAME of the vulnerable website using the below methods: -

Use the following CMD in your terminal: dig

Search your subdomain here:

Search subdomain here:

7. So, now you have to look if the subdomain has CNAME pointing to somewhere and not yet claimed (i.e mostly a 404 Not Found) then search google for “ subdomain takeover” here is the CNAME. If you can’t find the result you need you just go to and mostly that cloud website will teach you how to connect to a website.

For an extended listing of affected cloud providers, I highly recommend checking the “Can I take over XYZ?” guide.

Note: This bug usually considers in P2 severity if the subdomain is an important one and P3 for other subdomains.

How to avoid subdomain takeovers?

  1. Review your DNS entries and remove all entries which are active but no longer in use. Especially those which are pointing toward an external services.
  2. Ensure that your external services are configured to listen to your wildcard DNS.
  3. When creating a new resource, make the DNS record creation the last step in the process to avoid it from pointing to a non-existing domain.
  4. Continuously monitor your DNS entries and ensure there are no dangling DNS records.


I hope reading this post has raised your awareness of the risks associated with subdomain takeovers and how to find them. Subdomain takeovers can be involved in other, more complex attacks.

If you would like to dig deeper, I recommend HackerOne’s feed of disclosed bug-bounty reports is also an excellent resource on the topic.

Published by: Hemant Patidar



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Top notch IT company striving to be in the top 1% with a staff of hard-core engineers who like to be challenged to do it RIGHT the first time. Free Assessments!