class="post-template-default single single-post postid-160 single-format-image custom-background wp-custom-logo right-sidebar hide-slider classic-logo-position "

Subdomain Takeover Dew To Missconfigured Project Settings

subdomain takeover

Subdomain Takeover Writeup

This post is published by Prial Islam on his blog at Medium and published here as a contributor on our blog .Note that the post is written by Prial Islam, & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest/contributor so other can also learn.If you’re interested in sharing your finding through our Platform just Signup on blog and you can post freely.

Hi Readers ,

Today I will write about Subdomain takeover . It’s a common Security issue what is actually developers mistake when they left a Unused/unclaimed 3rd party Service DNS CNAME record for a subdoamin of theirs and Hackers can claim those subdomains with the help of external services it pointing to what could lead to serious issues . You can learn more about Subdomain takeover from detectify blog .

While testing I got a domain what is under flock company . So I stared looking at it’s subdomains and got subdomain . When I visited the subdomain in browser I got a error like below screenshot :-

error page
                                                       Error Page

This took my attention . So I checked the DNS record for this domain .

R3liGiOus_HuNt3r$ dig
; <<>> DiG 9.10.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 512
; IN A
;; Query time: 69 msec
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

from above record we can say the subdomain is pointing to CNAME . So I start looking at custom domain documents on website to understand how they works . From their document I understand that :-

  • You need a subdomain pointing to your subdomain [] .
  • Your subdomain should be configured in domains settings in following page<project

So to takeover I need to check if is alreday claimed of not . But Unfortunately it was already claimed 🙁 . But I have seen many such services doesn’t force users to verify their ownership of domains by using same CNAME txt record like their service subdomain . So still there’s a hope .

I opened a account in and I got a subdomain . Then I go to domains settings and in Custom Domain Field used as value and save changes .

Now when I visited It redirected me to this page what saying now that Not Yet Active.

See page title

This is showing as I am using a trail account . In the webpage title you will see my project name what I used while creating the project . So now this domain is serving my contents from project page .

How to avoid such issues ? :- Always update your DNS records . remove CNAME or any other DNS records what is not in used .

If you find a security vulnerability feel free to contact them via

Thank You For Reading Subdomain Takeover Writeup.More Bug Bounty Writeup Coming Soon.Stay With Us.Follow On Social Network Get Notification.If You Are New Bug Hunter Or Web Penetration Tester This Blog Site Help To You.And Also Share This Blog Post Your Friends Of Friends.Happy Hunting Be Smile.

Follow My Twitter Get New Post Notification.

Follow Twitter:- Follow Now || Click Here

Like  My Facebook Page Get New Post Notification.

Like Page:- Like Now || Click Here

Writeup Submit: Prial Islam Khan

Blog Author: Md Hridoy

Copyright By © Bug Bounty TuT



Leave a Reply

Your email address will not be published. Required fields are marked *