Analyzing and Preventing Sub-domain Takeovers: Real Risks? Causes?

0x00 - Intro and Cause

Sub-domain takeovers form a common class of vulnerability, in which an unused sub-domain pointing to a retired service is left as it is by developers. Often developers use SaaS and PaaS services that allow them to reach that service through their own subdomain. But, when they discontinue this service and don't remove DNS records, this can become a major issue, if not handled properly by the service provider (to whom the DNS records are pointing to).

0x01 - What are ...? How they affect you?

Subdomain takeover vulnerabilities occur when a subdomain ( is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing, and claim

Spotting them is easy!

spot them! 404 pages can give you a hint

404 errors on such sub-domain can be a hint tha the no longer existing service might actually be an existing threat to your organisation if taken over.

Not only can this happen with your company's GitHub hosted pages but also with Amazon S3 buckets which are no longer in use but a subdomain is still pointing at it.

Attackers can thus leverage these stale DNS records, by signing up on these platforms/service and setup their own pages there.

Which leads to

  • Phishing.
  • Direct Account Takeovers in certain cases
  • Damage of Business Reputation.
  • Hijacking old CDNs that still serve CSS, JS to a main application.

0x02 - Adding More Impact as an Attacker

Apart from regular phishing attacks, there can be certain scenarios in which cookies scoped to all sub-domain or, that specific sub-domain which is vulnerable to a takeover can be smuggled by an attacker via XSS and other client-side attack vectors.

Impact - Let's look at a real world case!

0x03 - More Resources

The awesome Ed created a GitHub repository that tracks down services which can be vulnerable to such takeovers. This can be beneficial both for offensive testing and defensive developers who care about such things,

Check out can-i-takeover-xyz here to learn more about subdomain takeovers and which services maybe vulnerable to this.

Found typos/something that I missed? HMU and let's make this write up more complete!

Comments (2)

Bridget Sarah's photo

Great article! Def looking forward to seeing more of these, had no idea that this was even possible!

Arif Khan's photo

Vulnerability Researcher & Bug Hunter

Thanks for the compliment!