pentesting

Why you aren't finding any subdomain takeover vulnerabilities

0xblackbird

Dec 9, 2024 — 3 min read

You have no automation set up or your automation process isn't robust and misses out on (quite a lot of) subdomain takeovers. This article provides answers to both faulty approaches.

Subdomain takeover vulnerabilities can (in most cases) form a significant security impact on a company or organization. You should always include testing for these types of security misconfigurations, regardless of whether you're performing any pentest or doing bug bounties.

What are subdomain takeovers

When a subdomain of a domain has a dangling DNS record set to an external domain or host that the admin organization no longer controls or no longer exists, it can lead to a subdomain takeover.

Take a look at this simple example:

When we navigate to "example-engineering.github.io" we come across a non-existing Github page. Further testing proves that the Github account "example-engineering" doesn't exist too.

We can create a Github account and publish our Github pages site that will be live on "example-engineering.github.io". And now since the CNAME record for "engineering.example.com" is still registered to point to "example-engineering.github.io", we can access the same page by visiting "engineering.example.com".

We now have control over a subdomain. We can host our XSS payload and perform unwanted actions on the main app on behalf of victim users. Or set up a more legitimate phishing campaign. Both attack vectors can lead to account takeover and sensitive data exposure.

This was just a simple example, if you're looking for an extensive list with all documented services, I can recommend the following public Github repository: https://github.com/EdOverflow/can-i-take-over-xyz.

How to find your first subdomain takeover

When you're starting in web security, you're playing against the odds. You don't have a methodology yet to follow nor experience to know what and where to look for. But that's all expected as you'll have to start somewhere.

If you're a beginner, I wouldn't recommend investing in any paid tooling or services yet.

I would instead recommend you focus on reconnaissance more, and learn how to map out every possible (sub)domain, asset, and host of your target. Once you've done that, you can use a simple open-source tool like Subjack to systematically check all dangling DNS records.

This approach is sufficient to significantly increase your chances of coming across a subdomain takeover vulnerability.

Let's move on to the more advanced methodology that guarantees consistent results.

Leveraging working methodologies to find more subdomain takeovers

The approach I took and the one that works for me is continuous scanning.

All I do now is just set up a daily recurring automated scan on our pentesting platform to perform subdomain enumeration (with DNS bruteforcing) and pass these to the subdomain takeover scanner.

That automated process is now responsible for finding new subdomains and notifying me of subdomain takeovers.

Using this approach, you can often detect subdomain takeovers long before others discover them. You can set up a simple server with a cronjob, just make sure you have a working reconnaissance process set up and are using a robust tool to systematically check for these security misconfigurations (most important part). I'm currently using a tool that can find subdomain takeovers in over 50 technologies and services.

How to prevent most false positives with an OAST server

False positives are commonly occurring in automated scanners. We all hate them because they give us false hope and make us excited for nothing. Luckily, there are multiple ways to get rid of them or at least reduce them to an acceptable level. In this article, I will be sharing

3 Main Ways To Use BLACKBIRD Pentesting Suite To Find More Vulnerabilities

1) Automated Vulnerability Scanner The core of BLACKBIRD is its comprehensive automated scanning capabilities. Unlike traditional vulnerability scanners that generate excessive noise, BLACKBIRD's intelligent automation helps you: * Scan multiple targets simultaneously * Reduce false positives * Focus on high-impact vulnerabilities * Generate detailed, actionable reports 💡RECOMMENDATION: Paste in URLs you'

Why Targeted Bruteforcing is Your Secret Weapon for Content Discovery

Most penetration testers rely on generic (and even outdated) wordlists for content discovery, missing critical endpoints that could expose serious vulnerabilities. But there's a more sophisticated approach that dramatically improves your results: targeted bruteforcing. Try The Interactive Demo → The Problem with Traditional Content Discovery Traditional content discovery often

Hunting Down Out-of-Band (OOB) SQL Injection Vulnerabilities With SQLS

SQLS (SQLSCANNER) is a powerful SQL Injection scanner that employs five distinct techniques to identify Full and Blind (including Time-based & Out-of-Band) SQL injection vulnerabilities. Powered by SQLMap, it offers comprehensive coverage for detecting CWE-89 issues that you can't find with other traditional tools. As a penetration tester,