Subdomain Takeover

Find dangling DNS records pointing at unclaimed cloud resources you can hijack.

A subdomain takeover happens when a DNS record (usually a CNAME) points at a third-party service — S3, GitHub Pages, Heroku, Azure, a SaaS app — that’s since been deleted or never claimed. Anyone who registers that resource controls content served on the client’s subdomain. It’s high-impact and often overlooked, and your discovery phase already handed you the full subdomain list to check.

How to spot one

The signature is a CNAME pointing to an external service that returns a service-specific “not found / no such bucket / unclaimed” error. For example, assets.example.com CNAME’d to a non-existent S3 bucket returns NoSuchBucket.

Arsenic originally caught these via aquatone’s takeover tags. The dedicated tools are more reliable now.

subzy (what I use)

subzy checks a list of subdomains against a fingerprint database of vulnerable services:

subzy run --targets recon/domains/example.com/subdomains.txt \
          --hide_fails --verify_ssl

nuclei takeover templates

nuclei ships a maintained set of takeover detection templates — convenient if it’s already in your pipeline:

nuclei -l recon/live-urls.txt -t http/takeovers/ -o recon/takeovers.txt

Manual confirmation

Always confirm before reporting — and do not actually claim the resource unless your rules of engagement explicitly authorize proving the takeover:

# 1. Confirm the dangling CNAME
dig +short CNAME assets.example.com        # -> some-bucket.s3.amazonaws.com

# 2. Confirm the target service returns an unclaimed/error fingerprint
curl -sI https://assets.example.com        # -> NoSuchBucket / 404 service error

Cross-reference the fingerprint against can-i-take-over-xyz, which catalogs which services are takeover-vulnerable and how to verify each safely.

Reporting

A confirmed dangling record is reportable on its own — you don’t need to seize the resource to prove impact. Document the vulnerable subdomain, the dangling CNAME target, the service fingerprint, and the standard remediation (remove the stale DNS record, or reclaim/repoint the resource). Capture evidence per Evidence & Reporting.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)