All vulnerabilities
HighA05:2021CWE-350Security Misconfiguration

Subdomain Takeover

Subdomain takeover lets attackers claim abandoned subdomains pointing to deprovisioned cloud services, hosting malicious content that appears to come from your trusted domain.

What Is Subdomain Takeover?

Subdomain takeover occurs when a DNS record (CNAME) points to an external service that has been deprovisioned — but the DNS entry was never removed. An attacker can claim the resource on that service and start serving content from your subdomain.

The content appears to come from yoursubdomain.yourapp.com — fully trusted by users and browsers.

How It Works

  1. Your team deploys staging.yourapp.com → CNAME → yourapp.azurewebsites.net
  2. The Azure app is deleted (cost savings, project ended)
  3. The CNAME record remains in DNS
  4. Azure's "custom domain" page now shows: "This hostname is available"
  5. An attacker registers yourapp.azurewebsites.net on their Azure account
  6. They now control content at staging.yourapp.com
dig staging.yourapp.com CNAME
# → yourapp.azurewebsites.net

curl -s https://yourapp.azurewebsites.net
# → "404 Not Found" — unclaimed!

Real-World Impact

  • Phishing — serve a fake login page at login.yourapp.com
  • Cookie theft — set cookies on the parent domain if misconfigured
  • Malware distribution — host drive-by downloads from your trusted domain
  • OAuth abuse — if the subdomain was a registered OAuth redirect URI
  • Reputation damage — attacker content attributed to your company
  • CSP bypass — if the subdomain is in your Content-Security-Policy allowlist

Common Affected Services

| Service | "Unclaimed" indicator | |---------|----------------------| | GitHub Pages | 404 page with GitHub branding | | Azure / Heroku | "No such app" | | AWS S3 | NoSuchBucket XML error | | Netlify | "Not Found" Netlify page | | Shopify | "Sorry, this shop is currently unavailable" | | Zendesk | "Oops, this help center no longer exists" |

How to Fix

Audit your DNS records regularly:

# Find all CNAMEs pointing to external services
dig yourapp.com ANY
# Check each CNAME target still resolves to your resource

Remove DNS records immediately when deprovisioning a service:

# Before deleting the cloud resource:
# 1. Remove the DNS CNAME record
# 2. Then delete the cloud resource
# Never the other way around

Automate subdomain monitoring:

# Check all CNAMEs for dangling records
import dns.resolver
 
VULNERABLE_PATTERNS = [
    "NoSuchBucket", "No such app", "There is no app",
    "Repository not found", "Help center closed",
]
 
for subdomain in your_subdomains:
    try:
        answers = dns.resolver.resolve(subdomain, "CNAME")
        for answer in answers:
            response = httpx.get(f"https://{answer.target}", timeout=5)
            if any(p in response.text for p in VULNERABLE_PATTERNS):
                alert(f"POSSIBLE TAKEOVER: {subdomain}")
    except dns.resolver.NXDOMAIN:
        alert(f"DANGLING DNS: {subdomain}")

What VibeWShield Detects

VibeWShield enumerates common subdomains and checks CNAME targets for "unclaimed" service signatures across 20+ major cloud providers. It flags both dangling CNAMEs and subdomains with known takeover fingerprints.

#subdomain#dns#cloud#takeover

Free security scan

Test your app for Subdomain Takeover

VibeWShield automatically checks for Subdomain Takeover and 40+ other vulnerabilities using 63 scanners — in under 3 minutes, no signup required.

Scan your app free