Subdomain Takeover
A subdomain takeover happens when a DNS record (usually a CNAME) points at a third-party service — S3, GitHub Pages, Heroku, Azure, a SaaS app — that’s since been deleted or never claimed. Anyone who registers that resource controls content served on the client’s subdomain. It’s high-impact and often overlooked, and your discovery phase already handed you the full subdomain list to check.
How to spot one
The signature is a CNAME pointing to an external service that returns a
service-specific “not found / no such bucket / unclaimed” error. For example,
assets.example.com CNAME’d to a non-existent S3 bucket returns NoSuchBucket.
Arsenic originally caught these via aquatone’s takeover tags. The dedicated tools are more reliable now.
subzy (what I use)
subzy checks a list of subdomains
against a fingerprint database of vulnerable services:
subzy run --targets recon/domains/example.com/subdomains.txt \
--hide_fails --verify_ssl
nuclei takeover templates
nuclei ships a maintained set of takeover detection templates — convenient if it’s already in your pipeline:
nuclei -l recon/live-urls.txt -t http/takeovers/ -o recon/takeovers.txt
Manual confirmation
Always confirm before reporting — and do not actually claim the resource unless your rules of engagement explicitly authorize proving the takeover:
# 1. Confirm the dangling CNAME
dig +short CNAME assets.example.com # -> some-bucket.s3.amazonaws.com
# 2. Confirm the target service returns an unclaimed/error fingerprint
curl -sI https://assets.example.com # -> NoSuchBucket / 404 service error
Cross-reference the fingerprint against can-i-take-over-xyz, which catalogs which services are takeover-vulnerable and how to verify each safely.
Reporting
A confirmed dangling record is reportable on its own — you don’t need to seize the resource to prove impact. Document the vulnerable subdomain, the dangling CNAME target, the service fingerprint, and the standard remediation (remove the stale DNS record, or reclaim/repoint the resource). Capture evidence per Evidence & Reporting.