The Art of Finding Subdomain Takeovers: A Guide for Security Professionals

Subdomain takeover is a security vulnerability that occurs when a subdomain (e.g. sub.example.com) is pointing to a service (e.g. GitHub pages, Heroku, AWS S3, etc.) that has been discontinued or deleted by its owner. This allows an attacker to register the same subdomain on the same service and essentially “take over” the content that is being served on the subdomain.

Here are the steps to perform a subdomain takeover:

1. Identify subdomains: Use tools like Sublist3r, KnobleSec’s SubJack, etc. to identify potential subdomains for takeover.

2. Check for misconfigured DNS records: Check the DNS records of each subdomain to see if it is pointing to a third-party service that has been discontinued or deleted.

3. Check for a live endpoint: Try accessing the subdomain to see if it is still active.

4. Check if the third-party service allows registration: Check the terms of service for the third-party service to see if it allows new users to register the same subdomain.

5. Register the subdomain: If the third-party service allows new users to register the same subdomain, sign up for an account and register the subdomain.

6. Modify the content: Change the content of the subdomain to reflect your own message or goals.

7. Report the vulnerability: If the subdomain is part of a larger organization, report the vulnerability to the appropriate party so that they can take action to prevent it from being exploited.

It’s important to note that subdomain takeover is a serious security vulnerability and can be used to carry out phishing attacks, distribute malware, or steal sensitive information. As a security professional, it’s your responsibility to prevent subdomain takeovers from happening by regularly monitoring your subdomains and keeping your DNS records up to date.