Subdomain Takeover: How Forgotten DNS Records Become a Threat

What is Subdomain Takeover?

Subdomain takeover occurs when an attacker gains control over a subdomain of a target domain by exploiting dangling DNS records. This happens when:

• A subdomain points to a third-party service (e.g., AWS S3, GitHub Pages)
• The service is discontinued or deleted
• The DNS record isn’t removed
• An attacker claims the service endpoint

Why Subdomain Takeovers Are Dangerous

1. Phishing Attacks

Attackers can host phishing pages on legitimate subdomains:

https://login.example.com/  ← Looks legitimate to users

2. Cookie Stealing

Subdomains often share cookies with the root domain:

Set-Cookie: session=abc123; Domain=.example.com; Secure; HttpOnly

3. Service Hijacking

APIs and webhooks configured to use subdomains can be compromised:

POST https://api.example.com/webhook
Content-Type: application/json

{"malicious": "payload"}

Common Vulnerable Services

How to Find Vulnerable Subdomains

1. Subdomain Enumeration

Discover all subdomains associated with a domain:

# Using subfinder
subfinder -d example.com -o subdomains.txt

# Using amass
amass enum -d example.com -o subdomains.txt

2. Check DNS Records

Identify CNAME records pointing to third-party services:

dig CNAME blog.example.com

;; ANSWER SECTION:
blog.example.com. 300 IN CNAME example.s3-website-us-east-1.amazonaws.com.

3. Verify Service Availability

Check if the service endpoint is unclaimed:

curl -v http://blog.example.com
< HTTP/1.1 404 Not Found
< x-amz-error-code: NoSuchBucket

Testing for Subdomain Takeover

1. Manual Testing Steps

1. Find subdomain with CNAME to third-party service
2. Visit the subdomain and note error messages
3. Research if the service allows claiming those endpoints
4. Attempt to claim the service (if authorized)

2. Automated Tools

# Using subjack
subjack -w subdomains.txt -t 100 -o results.json

# Using nuclei
nuclei -t takeovers/ -l subdomains.txt -o results.txt

Popular Services and Their Vulnerabilities

AWS S3 Buckets

If you see a NoSuchBucket error, the bucket may be available for takeover:

# Check bucket availability
aws s3 ls s3://blog.example.com

# If available, create bucket with same name
aws s3 mb s3://blog.example.com

GitHub Pages

GitHub Pages shows specific error when no repository is configured:

# Check if GitHub Pages is available
curl -v http://docs.example.com

# If vulnerable, create repo with GitHub Pages enabled
# Repository name must match: docs.example.com

Prevention and Mitigation

1. DNS Record Management

• Regularly audit DNS records
• Remove unused CNAME records immediately
• Use TXT records to document subdomain purposes

2. Monitoring

• Set up alerts for DNS changes
• Monitor SSL certificates for unexpected issuers
• Use services like HackerOne's Domain Monitor

3. Service Configuration

• Reserve all possible subdomains with providers
• Use wildcard certificates carefully
• Implement DMARC, DKIM, and SPF to prevent email spoofing

Real-World Examples

Case 1: Microsoft Azure Takeover

Researchers found hundreds of vulnerable *.azurewebsites.net subdomains belonging to major corporations.

Case 2: Shopify Takeover

An attacker took over a Shopify subdomain and used it to steal customer credentials.

Case 3: AWS S3 Bucket Compromise

A financial institution's abandoned S3 bucket was claimed by attackers to host malware.

Conclusion

Subdomain takeover remains a significant threat because:

• It's often overlooked in security assessments
• The impact can be severe (phishing, data theft)
• Prevention requires ongoing DNS hygiene

Further Resources

• Can I Take Over XYZ? - Service list
• OWASP Testing Guide
• Detectify Research