← Back to All Scanners
Advanced AttacksHigh Severity

Subdomain Takeover Scanner

Identifies dangling DNS records vulnerable to subdomain takeover.

Try This Scanner

What is Subdomain Takeover?

Subdomain Takeover occurs when DNS records point to external services (cloud platforms, CDNs, SaaS) that the organization no longer controls. Attackers claim these unclaimed resources, taking control of the subdomain. They can then host malicious content, steal cookies, or impersonate the organization.

Why is This Important?

Subdomain takeover is surprisingly common because cloud resources are frequently created and deleted while DNS records persist. A takeover allows phishing with legitimate-looking domains, cookie theft (subdomains often share cookie scope), and damage to organizational reputation.

How It Works

1. Attack Surface Mapping

Identifies complex attack vectors including race conditions, desync points, and logic flaws in your application.

2. Advanced Exploitation

Executes sophisticated attack techniques that bypass traditional security controls and detection mechanisms.

3. Impact Assessment

Demonstrates real-world impact with detailed exploitation chains and business risk analysis.

Key Capabilities

Expert-level security testing for sophisticated vulnerabilities that evade traditional scanning tools.

  • Race condition and timing attack detection
  • Request smuggling and desync analysis
  • Business logic flaw identification
  • Chained exploit development
  • Protocol-level vulnerability testing

Frequently Asked Questions

What services are commonly vulnerable?

Commonly vulnerable services: GitHub Pages (CNAME to unclaimed repo), Heroku (unclaimed app names), AWS S3 (unclaimed bucket names), Azure (various services), Shopify, Fastly, Cloudfront, and dozens of SaaS platforms. Each has different claim mechanisms.

How do attackers find vulnerable subdomains?

Discovery methods: subdomain enumeration (passive/active), DNS record analysis, checking for service-specific error messages (e.g., 'There isn't a GitHub Pages site here'), automated scanning tools (subjack, takeover), and monitoring Certificate Transparency logs.

What's the impact of subdomain takeover?

Impacts include: hosting phishing pages on trusted subdomain, stealing cookies if domain scope includes subdomain, sending emails with SPF pass (if mail records affected), bypassing CSP that allows subdomains, and general reputation damage and trust abuse.

How do I prevent subdomain takeover?

Prevention: remove DNS records when decommissioning services, inventory all subdomains and their purpose, monitor for dangling records, use dedicated domains for external services (not subdomains of main domain), claim resources before creating DNS records, and regularly audit DNS.

Related Scanners

Race Condition - TOCTOUHigh
Learn more →
Race Condition - Limit BypassMedium
Learn more →
Race Condition - Double SpendCritical
Learn more →
Request Smuggling - CL.TECritical
Learn more →

Ready to secure your application?

Start testing for subdomain takeover vulnerabilities today.

Get Started Free