1. Introduction

A subdomain takeover vulnerability occurs when a subdomain points to a third-party service (via DNS records such as CNAME) that is no longer claimed or configured. An attacker can register the missing resource and gain control of the subdomain.

2. Scope and Target

• Target domain: example.com
• In-scope: All subdomains under *.example.com
• Out-of-scope: Assets excluded by the bug bounty program

All testing was performed according to program rules.

3. Subdomain Discovery (Reconnaissance)

The first step is collecting all possible subdomains of the target.

Tools Used

• subfinder
• assetfinder
• amass

Result

All discovered subdomains were saved to:

subdomains.txt

Example:

dev.example.com
staging.example.com
blog.example.com
cdn.example.com

4. HTTP Probing — Finding 404 Subdomains

Next, the discovered subdomains were probed to identify inactive or misconfigured hosts.

Command

httpx -l subdomains.txt -status-code -silent

Result

Subdomains returning 404 Not Found responses were filtered and saved to:

404_web.txt

These subdomains are strong candidates for takeover testing.

5. DNS Analysis

Subdomain takeovers usually depend on dangling DNS records, especially CNAME records pointing to third-party services.

5.1 Extracting CNAME Records

cat 404_web.txt | while read domains; do dig $domains; done | grep CNAME | tee -a CNAME_Records

5.2 Full DNS Dump and Filtering

cat 404_web.txt | while read domain; do dig $domain; done | tee -a digs.txt
cat digs.txt | grep CNAME

Finding

Example:

dev.example.com CNAME dev-example.herokuapp.com

This shows that the subdomain points to Heroku, a third-party service.

6. Service Validation (Manual Verification)

DNS records alone are not enough. The third-party service must be confirmed as unclaimed.

HTTP Header Check

curl -I dev.example.com

Response Body

No such app

This is a known Heroku error message, indicating that the application does not exist and can be claimed.

Reference:

• https://github.com/EdOverflow/can-i-take-over-xyz
• https://github.com/shifa123/Can-I-take-over-xyz-v2

7. Automated Validation

Automation was used to confirm the finding and reduce false positives.

7.1 Subzy

subzy run --targets 404_web.txt --concurrency 100 --hide_fails --verify_ssl

Result

[VULNERABLE] dev.example.com → Heroku

7.2 Nuclei

nuclei -l 404_web.txt -tags takeover -o nuclei_takeovers.txt

Nuclei confirmed the takeover using provider-specific templates.

8. Proof of Concept (POC)

Proof Included

• Dangling CNAME record pointing to Heroku
• HTTP response showing "No such app"
• Automated confirmation via Subzy and Nuclei

Reference POC examples: https://0xpatrik.com/takeover-proofs/

9. Impact

If exploited, an attacker could:

• Host malicious content under dev.example.com
• Steal cookies scoped to .example.com
• Perform phishing attacks
• Abuse OAuth redirect or trust relationships

Severity

High to Critical