Mastering Subdomain Takeovers

Tanishq Sachin Shah
4 min readMay 11, 2024

Here’s how I got bounties through subdomain takeovers -

Subdomain takeovers are vulnerabilities that occur when a subdomain (part of a larger website, like mail.example.com) is no longer actively used by the intended owner. This can happen due to various reasons, such as:

  • Abandoned Services: A subdomain might have been used for a service that’s no longer offered, leaving it inactive.
  • Misconfigurations: Accidental mistakes during domain or subdomain management can create unclaimed subdomains.

Looks like your DNS settings got a little too friendly with mine.

Steps to get $ -

Step 1: Begin by selecting your target domain and initiating the process of identifying potential subdomains. Utilize tools like Subfinder, combined with the ‘-sc 404’ flag, to pinpoint unclaimed subdomains, which are crucial for potential takeover attempts. The initial command to execute is:

subfinder -d example.com | httpx -sc 404 | tee list.txt

Step 2: Proceed to manually inspect each subdomain flagged with a 404 response code. Pay close attention to any clues or information provided, especially indications of unclaimed S3 buckets or other relevant details. Additionally, use the ‘dig’ command to investigate the CNAME (Canonical Name) records. For instance, utilizing dig command enables the retrieval of the CNAME, revealing where the original subdomain directs to. This step is important in a successful domain takeover.

dig mail.example.com
If cname was a meme

Step 3: Now check this GitHub repo Can I Take Over XYZ there is a table in it which shows the list of vulnerable cname you can verify whether your cname is vulnerable or not.

Another simple way is to use Nuclie. It has a template called “takeover” which helps you see if a domain can be taken over. But remember, it’s a good idea to double-check manually sometimes because automated tools can make mistakes. To use Nuclie, just type in the command:

nuclei -l subdomain_results.txt -t <nuclei_template_path> -o results.txt

Nuclei Template1, Nuclei Template2

If there’s a possibility of takeover, explore different strategies to achieve it. I’ll describe several methods for you to consider.

  • unbouncepages.com — This problem is pretty common on many websites and can earn you a bounty easily. You don’t even have to claim it because it requires a subscription worth $100–$150. Just report it and mention in your proof of concept that the high price makes an actual takeover difficult. That’s all you need to get the bounty, and it might even be your first one.
From my report that earned a bounty

Keep in mind that the report you submit is crucial for bug bounty programs, so it’s essential to know the right words to use to maximize your chances of receiving good bounties.

Steal a website? Not quite, but close!

  • Unclaimed s3 buckets —
    If you find a subdomain showing a message like “NoSuchBuckets,” it’s a big win. Just log in to AWS, create a bucket with the same name as the subdomain, and make sure it’s in the same region. Don’t forget to uncheck the “block public access” option. Then, you can claim the bucket and upload your HTML file to display it.
  • Azure — If the CNAME concludes with “.cloudapp.net” or “.azurewebsites.net”, it’s vulnerable. Simply navigate to Microsoft Azure and log in on your own.

Case I — .cloudapp.net

Step 1: Navigate to the Azure portal.

Step 2: Select “Cloud Services (classic)” from the menu.

Step 3: Create a new cloud service by clicking on the “Add” button.

Step 4: Fill in the necessary details such as service name, subscription, resource group, and location.

Step 5: Choose the appropriate configuration options and deployment model.

.cloudapp.net (Cloud Services)

Case II — .azurewebsites.net

Step 1: Access the Azure portal.

Step 2: Navigate to “App Services.”

Step 3: Click on “Create New Web App.”

Step 4: Provide the necessary details such as name, subscription, resource group, and region. Ensure that the name matches the existing one if you want to replace it.

Step 5: Once the web app is created, navigate to its dashboard.

Step 6: Access the deployment options and choose the deployment method you prefer, such as FTP, Git, or Azure Pipelines.

Step 7: Upload or connect your deployment package and initiate the deployment process.

.azurewebsites.net (App Services)

There are numerous methods for claiming a subdomain and potentially earning a generous bounty. One suggestion is to explore alternative CNAME records by searching for them on Google or in previous reports, as they may reveal valuable information.

--

--

Tanishq Sachin Shah

Security Researcher @Xcoode | Blogger | Penetration Tester | Red Team | Skating Coach