0x00 Subdomain Takeovers: Still Paying Out

Subdomain takeovers are one of the simplest but most impactful bugs still paying out in bug bounty. The recipe hasn’t changed: a DNS record points to a third-party service, the resource behind it gets deleted or abandoned, and whoever claims it next owns the subdomain.

That ownership matters. If blog.company.com suddenly serves your content, users don’t see the nuance of DNS, they just see the company’s brand delivering something it shouldn’t. For programs, that translates to phishing risk, reputation damage, and a quick ticket for the security team.

From a hunter’s perspective, it’s a valuable category because it scales. Recon and automation do most of the heavy lifting, triagers can reproduce findings easily, and the business impact is obvious. Dead services turn into live payouts — if you can find them before everyone else.

0x01 What is a Subdomain Takeover?

A subdomain takeover happens when a DNS record is still alive but the resource it points to is gone. The DNS says, “this subdomain belongs to a service,” but the service no longer exists. If you can claim that resource before the company does, you control what loads under their domain.

The mechanics are straightforward:

1. A DNS record points to a third-party provider (AWS S3, Azure Blob, GitHub Pages, Fastly, Heroku, and so on).

2. The linked bucket, repo, or site gets deleted or goes unclaimed.

3. An attacker registers the resource and instantly owns the subdomain.

Classic examples:

test.company.com → CNAME → test-bucket.s3.amazonaws.com (bucket deleted).

blog.company.com → CNAME → company.github.io (repo removed).

files.company.com → CNAME → company.azurewebsites.net (site deleted).

The result is simple but dangerous: attacker-controlled content served directly from a trusted company domain.

0x02 Recon Workflow

Subdomain takeovers live and die on recon. The workflow is linear: discover subdomains, check what’s alive, resolve CNAMEs, and flag anything pointing to dead infrastructure.

Enumerate Subdomains

Never trust a single tool. Use multiple sources and merge results:

subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
cat subs.txt amass.txt | sort -u > all_subs.txt

Recon rule: the more coverage you have, the fewer blind spots.

Probe Alive Hosts

Cut the noise down to what’s actually serving responses:

httpx -l all_subs.txt -status-code -title -tech-detect -o hosts.txt

Alive doesn’t always mean exploitable, but it narrows the surface to what matters.

Inspect CNAMEs

Look for records pointing to third-party services:

dig CNAME sub.target.com
nslookup sub.target.com

Signals to watch:

• AWS S3: NoSuchBucket

• GitHub Pages: Repository not found

• Azure/Heroku/CloudFront: Site not found

Automate at Scale

Community-driven tools make this scalable:

nuclei -l all_subs.txt -t nuclei-templates/takeovers/ -o takeover-findings.txt

Nuclei templates cover common providers, letting you sweep hundreds of subdomains quickly.

0x03 Exploitation Walkthrough

Finding a dangling CNAME is only half the job. To prove impact — and get paid — you need to demonstrate control. That means claiming the orphaned resource and showing the subdomain now serves your content.

Example:
sub.target.com → CNAME → company-test.s3.amazonaws.com

1. Claim the bucket:

aws s3 mb s3://company-test --region us-east-1

1. Upload a harmless PoC page:

echo "<h1>ToxSec PoC</h1>" > index.html
aws s3 cp index.html s3://company-test/ --acl public-read

1. Verify ownership:
   Visit sub.target.com in a browser. If your page loads, you’ve taken control.

At this point, the subdomain is effectively yours until the company reclaims or removes the DNS entry. Keep it clean. No phishing pages, no malware. A simple marker page is all you need.

For writing a bounty report, that’s enough: screenshots before and after, plus a clear explanation of the DNS record and the claimed resource.

0x04 Impact in Bug Bounty Context

Why do programs still pay for subdomain takeovers? Because the risk is obvious and immediate.

• Trust impact: A hijacked subdomain can host phishing kits, fake login portals, or malware. To users, login.company.com is indistinguishable from the real thing.

• Brand damage: Even a harmless defacement on a company subdomain looks like a major breach. Customers don’t care about DNS misconfigurations — they see a broken brand.

• Ease of triage: Security teams can reproduce and fix quickly by deleting the DNS record or reclaiming the resource. Low overhead means programs are happy to pay.

The reality check:

• Subdomain takeovers have a low skill floor. Anyone with basic recon tooling can find them, which means competition is high.

• Duplicates are common. If you find a dangling record, chances are someone else already has it queued for triage.

• The hunters who consistently win focus on speed and depth — scanning more thoroughly, monitoring continuously, and submitting faster.

In short: the impact is high, but the payout goes to whoever proves it first.

0x05 Pitfalls and False Positives

Not every dangling-looking record is exploitable. Subdomain takeovers are noisy territory, and programs close plenty of false reports. If you want to avoid wasted effort — and keep your credibility — you need to know the traps.

• Error messages can mislead. Some providers display “not found” errors even when the resource is active in another region or account. Always confirm before claiming.

• Region mismatches. An AWS bucket in us-west-2 won’t show up as valid if you’re probing us-east-1. That mismatch can make a live bucket look vulnerable.

• Shared infrastructure. A CNAME might point to a multi-tenant service where you can’t take over a specific hostname. Looks vulnerable, but it isn’t.

• Sinkholed providers. Some cloud vendors automatically block known takeover vectors. You might see an error, but the provider ensures no one can claim it.

• Race conditions. Even if a resource is claimable, providers or the company might re-register it before you finish. Don’t report until you’ve proven control.

Rule of thumb: screenshots and proof of content served from the target subdomain are the only way to validate a takeover. Anything less is noise.

0x06 Reporting Best Practices

A good subdomain takeover report is simple, reproducible, and backed by proof. Triagers don’t want theory — they want evidence.

• Use a clean PoC page. Upload something harmless but unmistakable, like:

<h1>ToxSec PoC – Do Not Remove</h1>

• No phishing, no jokes, no malware. Just a clear marker that proves control.

• Document the chain. Include:

  • The subdomain you targeted.

  • The DNS record (CNAME) it resolves to.

  • The error message before takeover (e.g., NoSuchBucket).

  • The resource you claimed.

  • Screenshots before and after.

• Make validation easy. Provide exact steps to reproduce — the faster a triager can confirm, the faster you get paid.

• Stay professional. A poor quality, over-the-top report risks being dismissed even if valid. Keep your language clear and your PoC minimal.

The best hackers don’t just prove control — they present it in a way that leaves zero doubt for the security team.

0x07 Command Recap

The essentials for spotting and proving subdomain takeovers:

# Subdomain enumeration
subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
cat subs.txt amass.txt | sort -u > all_subs.txt

# Probe alive hosts
httpx -l all_subs.txt -status-code -title -tech-detect -o hosts.txt

# Inspect CNAMEs
dig CNAME sub.target.com
nslookup sub.target.com

# Automate takeover checks
nuclei -l all_subs.txt -t nuclei-templates/takeovers/ -o takeover-findings.txt

These commands won’t win bounties alone, but they form the backbone of a takeover workflow. The edge comes from running them consistently, monitoring over time, and moving fast once a dangling record appears.

0x08 Debrief

Companies move fast, infrastructure shifts, but DNS often lags behind. That gap is where hackers step in.

The formula is simple:

• One dead pointer, one claimed resource.

• Full control of a company-branded subdomain.

For programs, the risk is obvious — phishing, brand damage, and loss of user trust. For hackers, it’s still a category worth watching. Automation makes discovery scalable, impact is easy to prove, and payouts remain strong for those who can move faster than the crowd.

Subdomain takeovers aren’t glamorous, but they’re reliable. Keep sweeping for dangling CNAMEs — the graveyard of forgotten infrastructure is still paying.