# Subdomain Takeover

A vulnerability where attackers claim abandoned subdomains pointing to external services, allowing them to serve malicious content on your legitimate domain for phishing or malware distribution.

HIGH SEVERITY REPUTATION DAMAGE DNS MISCONFIGURATION

# What is Subdomain Takeover?

Critical Domain Security

Subdomain Takeover allows attackers to control your subdomain (e.g., blog.company.com) by claiming abandoned external services. This enables phishing attacks using YOUR trusted domain, bypassing email filters and user suspicion.

In Simple Terms:

Imagine you rent an apartment and put your name on the mailbox. Later, you move out but forget to remove your name. Someone else rents the same apartment and now receives mail addressed to you!

Subdomain Takeover works the same way:

You create subdomain: blog.company.com → Points to Heroku
You delete Heroku app but forget to remove DNS record
Attacker creates Heroku app with same name
blog.company.com now serves attacker's content!

# How It Works

# Attack Process

DNS Record:
blog.company.com CNAME myapp.herokuapp.com

Company creates Heroku app at myapp.herokuapp.com

Company deletes Heroku app
DNS record still points to myapp.herokuapp.com

Problem: DNS not updated!

Attacker creates new Heroku app: myapp.herokuapp.com
blog.company.com now serves attacker's content!

Attacker serves:
- Fake login pages on blog.company.com
- Malware downloads
- Phishing campaigns

Users trust it because it's on company.com domain!

# Real-World Examples

# Case Study 1: Uber Subdomain Takeover (2016)

Vulnerability:

Subdomain: central.uber.com pointed to GitHub Pages
Uber deleted GitHub repo
DNS record not removed

Attack:

Security researcher claimed GitHub Pages
Proved control by serving content on central.uber.com
Could have been used for phishing

Impact:

Responsible disclosure
$10,000 bug bounty
Highlighted widespread issue

# Case Study 2: Starbucks Wi-Fi Portal Takeover (2014)

Takeover: Multiple Starbucks subdomains vulnerable

Affected:

wifilogin.starbucks.com
partner.starbucks.com

Risk:

Phishing for customer credentials
Malware distribution
Brand reputation damage

# Detection

# Automated Tools

# SubFinder - subdomain enumeration
subfinder -d example.com -o subdomains.txt

# subjack - takeover detection
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt

# can-i-take-over-xyz - service fingerprinting
https://github.com/EdOverflow/can-i-take-over-xyz

# Manual Testing

# Check for dangling CNAME
dig blog.example.com

# Look for error messages:
- "No such app" (Heroku)
- "Repository not found" (GitHub Pages)
- "Project not found" (GitLab Pages)
- "NoSuchBucket" (AWS S3)

# Prevention

# 1. Remove DNS Records When Deleting Services

# ALWAYS remove DNS when deleting external service

# 1. Delete external service (Heroku, GitHub Pages, etc.)
heroku apps:destroy myapp

# 2. IMMEDIATELY remove DNS record
# Via DNS provider or Route53:
aws route53 change-resource-record-sets --hosted-zone-id Z123 \
  --change-batch '{
    "Changes": [{
      "Action": "DELETE",
      "ResourceRecordSet": {
        "Name": "blog.example.com",
        "Type": "CNAME",
        "TTL": 300,
        "ResourceRecords": [{"Value": "myapp.herokuapp.com"}]
      }
    }]
  }'

# 2. Use Monitoring Tools

import dns.resolver
import requests

SUBDOMAINS = [
    'blog.company.com',
    'api.company.com',
    'cdn.company.com'
]

VULNERABLE_RESPONSES = [
    'No such app',
    'Repository not found',
    'NoSuchBucket',
    'Project not found'
]

def check_subdomain_takeover():
    for subdomain in SUBDOMAINS:
        try:
            # Check DNS
            answers = dns.resolver.resolve(subdomain, 'CNAME')
            cname = str(answers[0].target)
            
            # Check if service exists
            response = requests.get(f'https://{subdomain}', timeout=5)
            
            # Check for vulnerable responses
            for vuln_msg in VULNERABLE_RESPONSES:
                if vuln_msg in response.text:
                    alert(f'VULNERABLE: {subdomain} → {cname}')
                    
        except Exception as e:
            print(f'Error checking {subdomain}: {e}')

# Run daily
check_subdomain_takeover()

# 3. Implement DNS CAA Records

# Restrict who can issue certificates
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild ";"  # Prevent wildcard certs

# Security Checklist

Document all subdomains and their external services
Remove DNS records when deleting services
Monitor subdomains for takeover vulnerabilities
Use automated scanning (subjack, subfinder)
Implement CAA records
Regular DNS audits
Alert on DNS changes
Educate teams about proper DNS cleanup

# Key Takeaways

Critical Points

Clean up DNS when deleting services: Always remove CNAME records
Monitor your subdomains: Use automated tools to detect vulnerabilities
Document everything: Keep inventory of all subdomains
Fast response: Takeovers can happen within hours of deletion
Educate teams: DevOps must know DNS cleanup procedures
Use monitoring: Continuous scanning for dangling records

Last Updated: November 2025