Subdomain Takeover
OWASP: WSTG-CONF-10
Last updated
Was this helpful?
OWASP: WSTG-CONF-10
Last updated
Was this helpful?
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the victim’s external DNS server subdomain record is configured to point to a non-existing or non-active resource/external service/endpoint.
If the subdomain takeover is successful, a wide variety of attacks are possible (serving malicious content, phishing, stealing user session cookies, credentials, etc.). This vulnerability could be exploited for a wide variety of DNS resource records including: A
, CNAME
, MX
, NS
, TXT
etc. In terms of the attack severity, an NS
subdomain takeover (although less likely) has the highest impact, because a successful attack could result in full control over the whole DNS zone and the victim’s domain.
Before attempting a domain or subdomain takeover, it's crucial to enumerate all subdomains associated with the target domain. Refer to the below section for comprehensive techniques and tools.
After enumerating subdomains, we can use these tools to perform a Subdomain Takeover scan and detect any subdomains that might be vulnerable.
(Golang) is a subdomain takeover vulnerability checker which works based on matching response fingerprints from .
We can use this tools and scan for each subdomain discovered.
First, check DNS records for identifying what’s on the destination of the subdomain.
If the HEADER status is NXDOMAIN error in the result, subdomain takeover might be possible. Also we can try to access them with web browser or command-line:
If a certain subdomain can be accessible but the error page of the specific provider (e.g. GitHub, Google Cloud, Wix, etc.) appeared, it means that the subdomain of the settings in the service provider was removed but the DNS record (e.g. A, CNAME) remains yet.
In short, attackers can spoof as a legitimate site by claiming this subdomain in the provider.
Here’s an abstract example:
Login the target provider.
Create a malicious website.
Add the target subdomain (e.g. app.example.com) as custom domain in the setting page.
If users visit app.example.com, they have now visited a malicious website created by an attacker.
(python) is a subdomain takeover vulnerability checker.
(python) is a subdomain takeover vulnerability scanner, which has more than 88+ fingerprints of potentially vulnerable services.
(Golang) can be used to detect potential subdomain takeovers by checking a list of subdomains.
focuses DNS MX records and detects misconfigured MX records. It currently support three technique. These are,
You can find an example of this vulnerability in the CTF write-up: