Practical & Step-by-Step guide to find Subdomain Takeover Vulnerability
Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:
Collect subdomains (you can use more tools if you want to discover more subdomains)
subfinder -d example.com -silent | anew subs.txt amass enum -passive -d example.com | anew subs.txt
Errors to look for majorly:
AWS S3: NoSuchBucket
error in response.
GitHub Pages: 404 There isn't a GitHub Pages site here
.
Heroku: No such app
error.
cat subs.txt | dnsx -cname -resp | grep -iE 's3|github|heroku' > cnames.txt
Here’s how I filter:
If dev.example.com
→ dev-example.herokuapp.com
but Heroku says “No such app”, It’s a vulnerability.
Visit the CNAME directly (e.g., dev-example.herokuapp.com
). If it’s dead, you can claim it.
2. Avoid False Positives:
Some services show 404s but aren’t claimable (e.g., Shopify). Use can-i-take-over-xyz to check.
Let’s use an example: AWS S3 -
files.example.com
→ files.example.com.s3.amazonaws.com
.aws s3 ls s3://files.example.com
If you see NoSuchBucket
, proceed.
3. Create the bucket and upload a PoC:
aws s3 mb s3://files.example.com …
If you often open multiple tabs and struggle to keep track of them, Tabs Reminder is the solution you need. Tabs Reminder lets you set reminders for tabs so you can close them and get notified about them later. Never lose track of important tabs again with Tabs Reminder!
Try our Chrome extension today!
Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more