# Week 12 - Subdomain Takeovers

## Finding Subdomain Takeovers

In week 12 of the Web Hacking series, we’ll be mixing it up a little and covering a DNS-related issue. Are you part of an organization that has a large web presence, often involving blogs, repositories, and shops?\
&#x20;\
Depending on your DNS settings, you may be vulnerable to Subdomain Takeover. Subdomain Takeover occurs when an attacker can completely own and write content to one of your organization’s subdomains. This can be accomplished because admins often remove a blog/repository/shop from a subdomain but forget to also remove the DNS CNAME record, which the service uses to verify the subdomain. So how can we exploit it?\
&#x20;\
My favorite way to approach Subdomain Takeover is to start with enumeration. I use tools like Sublist3r, Knockpy, and VirusTotal to thoroughly enumerate existing subdomains. I then determine if the subdomains return a valid response, or just trigger a timeout/gateway error.\
&#x20;\
Assuming you receive a valid response, the next step is to assess what that response looks like and if it’s vulnerable. Especially focus on if the response appears to be issued from a popular service (Shopify, Github, Wordpress, etc). The best way to accomplish this is to consult EdOverflow’s GitHub repo linked in the comments, as it shows you what services are vulnerable to Subdomain Takeover and which ones are not. It also links documentation and discussion on each service for further study.\
&#x20;\
If a site appears to be vulnerable, all you have to do is register an account on the service the domain points to (Shopify, Github, Wordpress, etc), and claim the subdomain. Since the subdomain is already pointing to their service, no further verification is required. You can completely own it!\
&#x20;\
Now there are many potential attack vectors (phishing) with owning a victim subdomain, but an interesting one is using it to bypass CORS! That’s right, in most cases you won’t need to worry about finding a CORS misconfiguration since subdomains are often within the allowed origin. Check out my previous week’s posts for an in-depth discussion of CORS exploitation.<br>

![](/files/ErwPME243OBDbM9pbhMJ)

![](/files/bS7jCexLmgK8UrqmX9Co)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-12-subdomain-takeovers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.