Resources
- General
- Exploitation
- By accalon : https://infosecwriteups.com/how-i-bought-my-way-to-subdomain-takeover-on-tokopedia-8c6697c85b4d
- By samranchand : https://smaranchand.com.np/2019/12/subdomain-takeover-via-pantheon/
- Can i takeover xyz : https://github.com/EdOverflow/can-i-take-over-xyz
- By infosecwriteups : https://infosecwriteups.com/subdomain-takeover-new-level-43f88b55e0b2 | https://infosecwriteups.com/subdomain-takeover-dew-to-missconfigured-project-settings-for-custom-domain-46e90e702969 | https://infosecwriteups.com/how-i-found-130-sub-domain-takeover-vulnerabilities-using-nuclei-39edf89d3c70
- By securitybreached : https://blog.securitybreached.org/2018/09/24/subdomain-takeover-via-unsecured-s3-bucket/ | Uber | bugcrowd | lamborghini
- By alirazzaq : https://alirazzaq.medium.com/subdomain-takeover-worth-200-ed73f0a58ffe
- Shopify : https://medium.com/@thebuckhacker/how-to-do-55-000-subdomain-takeover-in-a-blink-of-an-eye-a94954c3fc75
- By oxpatrick : Part1 | Part2
- By arneswinnen : https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/
- Reports
- Trump : https://thehackernews.com/2017/02/donald-trump-website-hacked.html
- Mohamed Haron : souqcom | Hubspot
- From Hacker1 : 335330 | 665398
Cheatsheet
Playbook: Commands & Tactics
- Recon
dig CNAME system.facebook.com dig any system.facebook.com - Automate
subzy r --targets sub.txt nuclei -l live_suby.txt -t http/takeovers/ cat live_suby.txt | cnames -v
Tools
- subzy : https://github.com/PentestPad/subzy
- nuclei-templates : https://github.com/projectdiscovery/nuclei-templates
- cnames : https://github.com/cybercdh/cnames
Notes
Every 404 Error does not mean that the subdomain is vulnerable to subdomain takeover