Skip to content

Subdomain Enumeration & Takeover

Subdomain Enumeration

Subdomain enumeration is the process of finding valid subdomains for one or more domains & Subdomain takeover is a process of registering a non-existing domain name to gain control over another domain.

Subdomain Takeover

Use the following tools to enumerate subdomains

Some basic's below

DNS

DNS

  • When a web address is accessed eg. "www.xyz.com", a DNS query is performed across a DNS server with the host name.
  • The DNS server takes the hostname and resolves it into a numeric IP address

CNAME

CNAME

  • An alias of domain name to another domain name
  • In the example below, xyz.company.com is a source domain and xyz.cloudservice.com is a canonical domain name.

Subtakeover_basics

  • Subdomains map themselves to a specific IP, 3rd party services like Azure, AWS, Heroku, Github, Fastly, Shopify, etc. to serve the contents. These subdomains use a CNAME record to another domain [eg. xyz.company.com CNAME xyz.cloudservice.com]
  • Now due to whatever reason, the company decides to stop utilizing this service and to save some bucks, the company cancels the subscription of the 3rd party cloud service provider.
  • But, the company forgets to update or simply remove the CNAME record in the DNS zone file
  • Since the CNAME record is not deleted from company.com DNS zone, anyone who registers xyz.cloudservice.com has full control over xyz.company.com until the DNS record is present.

Case : CNAME available to buy

CNAME available to buy

  • There are cases when the CNAME that a subdomain points to, is available to buy.
  • In that case the attacker can directly buy that domain and host his/her content.

Enumeration tools

Use the following tools to enumerate subdomains

Takeover tools

The following tools are designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.

Subdomain Takeover POC's

Engine Status Fingerprint Discussion Documentation
Agile CRM Vulnerable Sorry, this page is no longer available. Issue #145
Airee.ru Vulnerable Issue #104
Anima Vulnerable If this is your website and you've just created it, try refreshing in a minute Issue #126 Anima Documentation
Akamai Not vulnerable Issue #13
AWS/S3 Vulnerable The specified bucket does not exist Issue #36
Bitbucket Vulnerable Repository not found
Campaign Monitor Vulnerable Trying to access your account? Support Page
Cargo Collective Vulnerable 404 Not Found Cargo Support Page
Cloudfront Not vulnerable ViewerCertificateException Issue #29 Domain Security on Amazon CloudFront
Desk Not vulnerable Please try again or try Desk.com free for 14 days. Issue #9
Digital Ocean Vulnerable Domain uses DO name serves with no records in DO.
Fastly Edge case Fastly error: unknown domain: Issue #22
Feedpress Vulnerable The feed has not been found. HackerOne #195350
Firebase Not vulnerable Issue #128
Fly.io Vulnerable 404 Not Found Issue #101
Freshdesk Not vulnerable Freshdesk Support Page
Gemfury Vulnerable 404: This page could not be found. Issue #154 Article
Ghost Vulnerable The thing you were looking for is no longer here, or never was
Github Vulnerable There isn't a Github Pages site here. Issue #37 Issue #68
Gitlab Not vulnerable HackerOne #312118
Google Cloud Storage Not vulnerable
HatenaBlog vulnerable 404 Blog is not found
Help Juice Vulnerable We could not find what you're looking for. Help Juice Support Page
Help Scout Vulnerable No settings were found for this company: HelpScout Docs
Heroku Edge case No such app Issue #38
Instapage Not vulnerable Issue #73
Intercom Vulnerable Uh oh. That page doesn't exist. Issue #69 Help center
JetBrains Vulnerable is not a registered InCloud YouTrack YouTrack InCloud Help Page
Key CDN Not vulnerable Issue #112
Kinsta Vulnerable No Site For Domain Issue #48 kinsta-add-domain
LaunchRock Vulnerable It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. Issue #74
Mashery Edge Case Unrecognized domain HackerOne #275714, Issue #14
Microsoft Azure Vulnerable Issue #35
Netlify Edge Case Issue #40
Ngrok Vulnerable Tunnel *.ngrok.io not found Issue #92 Ngrok Documentation
Pantheon Vulnerable 404 error unknown site! Issue #24 Pantheon-Sub-takeover
Pingdom Vulnerable This public report page has not been activated by the user Issue #144 Support Page
Readme.io Vulnerable Project doesnt exist... yet! Issue #41
Sendgrid Not vulnerable
Shopify Edge Case Sorry, this shop is currently unavailable. Issue #32, Issue #46 Medium Article
SmartJobBoard Vulnerable This job board website is either expired or its domain name is invalid. Issue #139 Support Page
Squarespace Not vulnerable
Statuspage Vulnerable Visiting the subdomain will redirect users to https://www.statuspage.io. PR #105 Statuspage documentation
Strikingly Vulnerable page not found Issue #58 Strikingly-Sub-takeover
Surge.sh Vulnerable project not found Surge Documentation
Tumblr Edge Case Whatever you were looking for doesn't currently exist at this address
Tilda Edge Case Please renew your subscription PR #20
Uberflip Vulnerable Non-hub domain, The URL you've accessed does not provide a hub. Issue #150 Uberflip Documentation
Unbounce Edge Case The requested URL was not found on this server. Issue #11
Uptimerobot Vulnerable page not found Issue #45 Uptimerobot-Sub-takeover
UserVoice Vulnerable This UserVoice subdomain is currently available!
Webflow Edge Case The page you are looking for doesn't exist or has been moved. Issue #44 forum webflow
Wordpress Vulnerable Do you want to register *.wordpress.com?
Worksites Vulnerable Hello! Sorry, but the website you’re looking for doesn’t exist. Issue #142
WP Engine Not vulnerable
Zendesk Not vulnerable Help Center Closed Issue #23 Zendesk Support

References