TL;DR
Subdomain takeover happens when your DNS has a CNAME pointing to an external service (like GitHub Pages, Heroku, S3) that you no longer control. Attackers can claim that resource and serve content on your subdomain. Audit your DNS records and remove entries pointing to deprovisioned services.
How Subdomain Takeover Works
# Your DNS has this old record:
blog.yoursite.com CNAME yoursite.github.io
# But you deleted the GitHub Pages repo!
# Attacker creates a new repo named "yoursite"
# GitHub assigns yoursite.github.io to them
# Now blog.yoursite.com serves attacker's content
Vulnerable Services
Services commonly vulnerable to subdomain takeover include:
- GitHub Pages: Unclaimed github.io subdomains
- Heroku: Deleted apps with lingering CNAMEs
- AWS S3: Deleted buckets referenced by DNS
- Azure: Deprovisioned cloud services
- Shopify, Fastly, Netlify: Various edge cases
Impact: Attackers can steal cookies (if SameSite is Lax), host phishing pages, serve malware from your trusted domain, or issue valid SSL certificates for your subdomain.
How to Prevent It
- Audit DNS regularly: Check all CNAME records point to active services
- Remove before deprovisioning: Delete DNS records before shutting down external services
- Monitor for issues: Tools like nuclei and subjack can detect vulnerable subdomains
- Use wildcards carefully: Wildcard CNAMEs increase risk
How do I find vulnerable subdomains?
Enumerate subdomains with tools like subfinder or amass, then check each CNAME for signs of unclaimed services (error pages saying "There isn't a GitHub Pages site here").
Can attackers get SSL certificates?
Yes. Many certificate authorities use HTTP validation. If attackers control the content, they can get valid certs for your subdomain.
Scan for Subdomain Takeover
Our scanner checks your DNS for vulnerable subdomain configurations.
Start Free Scan