Practical & Step-by-Step guide to find Subdomain Takeover Vulnerability

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Credit: Gemini | Imagen 3

Step-by-Step Process

Step 1: Recon

Collect subdomains (you can use more tools if you want to discover more subdomains)

subfinder -d example.com -silent | anew subs.txt  amass enum -passive -d example.com | anew subs.txt

Errors to look for majorly:

AWS S3: NoSuchBucket error in response.

GitHub Pages: 404 There isn't a GitHub Pages site here.

Heroku: No such app error.

cat subs.txt | dnsx -cname -resp | grep -iE 's3|github|heroku' > cnames.txt

Here’s how I filter:

If dev.example.com → dev-example.herokuapp.com but Heroku says “No such app”, It’s a vulnerability.

Visit the CNAME directly (e.g., dev-example.herokuapp.com). If it’s dead, you can claim it.

2. Avoid False Positives:

Some services show 404s but aren’t claimable (e.g., Shopify). Use can-i-take-over-xyz to check.

Let’s use an example: AWS S3 -

Find an interseting CNAME: files.example.com → files.example.com.s3.amazonaws.com.
Check if the bucket exists:

aws s3 ls s3://files.example.com

If you see NoSuchBucket, proceed.

3. Create the bucket and upload a PoC:

aws s3 mb s3://files.example.com …