.png)
2 days ago
15 BOOK THIS SPACE FOR AD
ARTICLE AD
Bug bounty hunting is an exciting field that rewards security researchers for identifying vulnerabilities in websites and applications. One of the most impactful yet often overlooked vulnerabilities is subdomain takeover. In this article, we’ll break down what it is, how to identify it, the exploitation steps, and how companies can mitigate the risk.
A subdomain takeover occurs when an attacker gains control over an unused subdomain of a target website. This happens when a subdomain is pointing to an external service (e.g., GitHub Pages, AWS S3, Azure, Heroku, etc.) that is no longer in use or has been deleted but the DNS records are still active.
For example, if blog.example.com was hosted on GitHub Pages but the repository was deleted, an attacker could claim the same GitHub Pages subdomain and take control of blog.example.com.
Use tools like Subfinder, Amass, Assetfinder, or crt.sh to find subdomains.
Example:
subfinder -d example.com amass enum -d example.com2. Check DNS Records
Use dig, nslookup, or host command:
dig blog.example.com CNAME host blog.example.comIf the subdomain points to an external service (e.g., blog.example.com CNAME username.github.io), check if the service is still active.
3. Verify if the Service is Unclaimed
Try visiting the subdomain. If you see messages like:
“404 Not Found”“No such bucket” (AWS S3)“There isn’t a GitHub Pages site here”This indicates that the service is no longer in use and is potentially vulnerable.
Once you’ve found a vulnerable subdomain, follow these steps:
Claim the External ServiceIf the subdomain was using GitHub Pages, create a repository with the same name.If it was using AWS S3, create a new bucket with the same name.2. Deploy a Custom Page
Upload an HTML file with proof of takeover:<h1>Subdomain Takeover by [YourName]</h1>3. Verify the Takeover
Visit the subdomain and check if your content appears.If successful, report it to the bug bounty program.Remove unused DNS records pointing to external services.
2. Use Controlled CNAME Entries
Implement wildcard DNS restrictions.
3. Enable Service-Specific Protections
Some platforms (e.g., GitHub, AWS) provide settings to restrict unauthorized claims.
4. Monitor for Changes
Use automation tools like dnsmonitor to detect abandoned subdomains.
Subdomain takeover can have serious security implications, allowing attackers to host phishing pages, inject malicious scripts, or impersonate trusted websites. As a bug bounty hunter, mastering this technique can help you find high-impact vulnerabilities, while companies should take proactive steps to mitigate this risk.
Happy hunting! 🕵️♂️💻
Bengali (Bangladesh) · 
English (United States) ·