Introduction

During reconnaissance, I discovered a subdomain takeover vulnerability caused by a misconfigured DNS record pointing to an inactive third-party service. This misconfiguration allowed the possibility for an attacker to claim the resource and host malicious content under the organization’s domain.

Subdomain takeover vulnerability occurs when a subdomain points to an unclaimed external service. Learn how it works, real examples, detection methods, and prevention techniques.

Press enter or click to view image in full size

What is Subdomain Takeover Vulnerability?

Subdomain Takeover Vulnerability is a security misconfiguration where an attacker gains control of an unused or improperly configured subdomain.

It usually happens when a DNS record points to an expired or deleted third-party service (like cloud hosting), allowing attackers to claim it and host malicious content under the organization’s domain.

Normal)
blog.example.com → CNAME → myblog.github.io → GitHub Pages (Active)
User → blog.example.com → Company’s legitimate blog content

Dangling DNS State)
blog.example.com → CNAME → myblog.github.io → X (Deleted)
User → blog.example.com → “404 — Not Found” page

Takeover State)
blog.example.com → CNAME → myblog.github.io → Attacker’s GitHub Pages
User → blog.example.com → Attacker’s malicious content

This situation is called “Dangling DNS,” meaning the DNS record exists but points to a non-existent target.

Types of Subdomain Takeover

Most Subdomain Takeover cases are CNAME-based takeovers. I’ve compiled 167 publicly disclosed Subdomain Takeovers from HackerOne’s Hacktivity. For details, see: https://github.com/yee-yore/LLM-Context/blob/main/vulnerabilities/subdomain_takeover.json

CNAME-based Takeover

The most common type, occurring when a CNAME record points to a non-existent external service. Most STO cases fall into this category.

subdomain.example.com. IN CNAME abandoned-app.herokuapp.com.

Although Subdomain Takeovers can theoretically occur via different DNS record types (A, NS, MX, SRV), in practice most real-world cases are CNAME-based. Other record types are rarely exploitable today and are typically mentioned only for completeness.

How Subdomain Takeover Works

1. DNS Record Points to an External Service
A company connects its subdomain to a third-party service like cloud hosting or a SaaS platform using a CNAME record.

2. Service Gets Deleted or Expired
Later, the external service is removed, but the DNS entry is not updated. The subdomain still points to a resource that no longer exists.

3. Attacker Claims the Resource
An attacker discovers this unused connection, registers the same service on that platform, and takes control of the subdomain to host malicious or misleading content.

Real-World Example of Subdomain Takeover

While performing security testing, I discovered a subdomain that appeared to be inactive but was still configured in the DNS records.

Step 1: Finding the Subdomain
During subdomain enumeration, I accessed the subdomain in a browser and noticed an error message: “The requested URL was not found on this server.” This suggested that the service behind the subdomain might have been removed.

Press enter or click to view image in full size

Figure 1: The subdomain returns an error message indicating that the requested URL is not available on the server.

Step 2: Verifying DNS Records
To investigate further, I used the dig command to check the DNS configuration. The result showed that the subdomain was still pointing to an external service through a CNAME record.

Press enter or click to view image in full size

Figure 2: DNS lookup using the dig command showing that the subdomain still points to an external service via a CNAME record.

Step 3: Identifying the Misconfiguration
Although the DNS entry was active, the actual service connected to it was no longer available. This type of leftover configuration is commonly known as a dangling DNS record.

Step 4: Potential Risk
If an attacker discovers this issue, they may be able to register the same resource on the external service and gain control of the subdomain. This could allow them to host malicious or misleading content under the organization’s domain.

Why Subdomain Takeover is Dangerous

1. Phishing Risk
If an attacker gains control of a subdomain, they can create fake login pages that look legitimate. Because the URL belongs to the real domain, users are more likely to trust it and enter sensitive information like usernames and passwords.

2. Cookie Theft
Some applications share cookies across subdomains. If an attacker controls one subdomain, they may be able to capture session cookies and potentially access user sessions.

3. Brand Damage
A compromised subdomain can be used to host malicious content, spam, or scams. Since it appears under the company’s domain, it can harm the organization’s reputation and reduce user trust.

4. Account Takeover
In certain cases, stolen session cookies or phishing attacks can allow attackers to gain unauthorized access to user accounts, leading to further security issues.

How to Detect Subdomain Takeover

1. Subfinder
Subfinder is used to discover subdomains of a target domain. It helps identify unused or forgotten subdomains that may lead to takeover vulnerabilities.

Command:

subfinder -d example.com

2. Amass
Amass performs deeper subdomain enumeration by collecting data from many public sources. This helps find additional subdomains that might be misconfigured.

Command:

amass enum -d example.com

3. Dig
dig is a DNS lookup tool used to check DNS records like A records or CNAME records. It helps verify whether a subdomain is still pointing to an external service.

Command:

dig subdomain.example.com

4. Nslookup
nslookup is another DNS query tool used to inspect domain records and confirm whether a subdomain points to a valid service.

Command:

nslookup subdomain.example.com

5. Subzy
Subzy is a tool designed to automatically detect potential subdomain takeover vulnerabilities by checking if the subdomain points to an unclaimed service.

Command:

subzy run –targets subdomains.txt

This process helps security testers quickly identify dangling DNS records that could potentially lead to a subdomain takeover vulnerability.

Commonly Vulnerable Services

• AWS S3: Bucket deleted but CNAME remains
• Heroku: App deleted, subdomain claimable
• GitHub Pages: Repo deleted or CNAME unconfigured
• Azure: CloudApp, Blob Storage, Web Apps
• Shopify: Store removed but DNS points to Shopify
• Fastly/CloudFront: Distribution deleted
• Zendesk/Freshdesk: Support portal deprovisioned

How to Prevent Subdomain Takeover

Press enter or click to view image in full size

Figure 3: Illustration of the Subdomain Takeover attack process

1. Remove Unused DNS Entries
Always remove DNS records for subdomains that are no longer used. Leaving old or unused entries can create opportunities for attackers to take control.

2. Monitor Subdomains
Regularly check and keep track of all subdomains associated with your domain. This helps quickly identify inactive or misconfigured subdomains.

3. Validate External Services
If a subdomain is connected to a third-party service, make sure the service is still active. When the service is removed, the related DNS record should also be deleted.

4. Use Automated Scanning
Use security tools to automatically scan subdomains and detect possible takeover issues. Regular scanning helps find problems early before attackers exploit them.

Impact

If exploited, this vulnerability could allow attackers to:

• Host phishing pages under a trusted domain
• Distribute malicious files
• Damage the organization’s reputation
• Mislead users by impersonating legitimate services

Conclusion

Subdomain takeover is a common but often overlooked security issue caused by misconfigured or unused DNS records. If not properly managed, attackers may gain control of a subdomain and use it for phishing, malware distribution, or other malicious activities.

Regularly monitoring subdomains, removing unused DNS entries, and verifying external services can significantly reduce the risk. Proper security practices and periodic testing help organizations prevent subdomain takeover and protect their domain reputation.

ReferencesHackerOne: A Guide To Subdomain Takeovers 2.0https://www.hackerone.com/blog/guide-subdomain-takeovers-20
Subdomain Takeover in Azure
https://godiego.co/posts/STO-Azure/
Arne Swinnen: Authentication Bypass on Uber’s SSO https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/
Can I Takeover XYZ — List of vulnerable services https://github.com/EdOverflow/can-i-take-over-xyz
OWASP: Subdomain Takeover
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover