A subdomain takeover occurs when a subdomain is pointing to another domain (CNAME) that no longer exists. If an attacker were to register the non existing domain then the target subdomain would now point to your domain effectively giving you full control over the target’s subdomain. What makes this vulnerability so interesting is that you can be safe one minute and a single DNS change can make you vulnerable the next minute.

The vulnerability here is that the target subdomain points to a domain that does not exist. An attacker can then register the non existing domain. Now the target subdomain will point to a domain the attacker controls.

Simple subdomain takeover steps:

  1. look for 404 pages
  2. then check the name of the page if they are absent then the page is vulnerable
  3. then go for “can i take over xyz” repo and conform the takeover.
nuclei -t <path>/nuclei-templates/takeovers/* -l all-live.txt

Subdomain TakeOvers by iamaakashrathee

Resources:

GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" - a list of services and how to claim (sub)domains with dangling DNS records.

https://0xpatrik.com/subdomain-takeover-ns/

How Recon helped me to to find a Facebook domain takeover

GitHub - indianajson/can-i-take-over-dns: "Can I take over DNS?" - a list of DNS providers and how to claim (sub)domains via missing hosted zones