$100-$1000 Worth Subdomain Takeover | Easy Bounty Methodology | by It4chis3c | Apr, 2025 | InfoSec Write-ups

AI Summary Hide AI Generated Summary

Step-by-Step Subdomain Takeover Process

This guide details how to identify and exploit subdomain takeover vulnerabilities, a common bug bounty target. The process is divided into three main steps.

Step 1: Reconnaissance

Begin by collecting subdomains using tools like subfinder and amass. The output is then filtered to identify potential errors, focusing on common cloud providers.

Look for NoSuchBucket errors (AWS S3).
Check for 404 There isn't a GitHub Pages site here errors (GitHub Pages).
Identify No such app errors (Heroku).

The dnsx tool helps filter results based on potential vulnerabilities.

Step 2: Verification and Filtering

Not all errors indicate exploitable vulnerabilities. It's crucial to filter out false positives.

Check for Dangling CNAMEs: Verify if a CNAME points to a non-existent service (e.g., Heroku app).
Avoid False Positives: Use the can-i-take-over-xyz tool to determine if a service is truly claimable (avoiding services like Shopify that return 404 but aren't vulnerable).

Step 3: Claiming the Subdomain (AWS S3 Example)

The article uses an AWS S3 example to illustrate the claiming process.

Find an interesting CNAME: Identify a subdomain pointing to an AWS S3 bucket.
Check bucket existence: Use the aws s3 ls command. A NoSuchBucket error confirms the vulnerability.
Create and populate the bucket: Create the bucket and upload a proof-of-concept to claim the subdomain.

Practical & Step-by-Step guide to find Subdomain Takeover Vulnerability

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Credit: Gemini | Imagen 3

Step-by-Step Process

Step 1: Recon

Collect subdomains (you can use more tools if you want to discover more subdomains)

subfinder -d example.com -silent | anew subs.txt  amass enum -passive -d example.com | anew subs.txt

Errors to look for majorly:

AWS S3: NoSuchBucket error in response.

GitHub Pages: 404 There isn't a GitHub Pages site here.

Heroku: No such app error.

cat subs.txt | dnsx -cname -resp | grep -iE 's3|github|heroku' > cnames.txt

Step 2: Are all errors really exploitable?

Here’s how I filter:

Check for “dangling” CNAMEs:

If dev.example.com → dev-example.herokuapp.com but Heroku says “No such app”, It’s a vulnerability.

Visit the CNAME directly (e.g., dev-example.herokuapp.com). If it’s dead, you can claim it.

2. Avoid False Positives:

Some services show 404s but aren’t claimable (e.g., Shopify). Use can-i-take-over-xyz to check.

Step 3: Claiming the Subdomain

Let’s use an example: AWS S3 -

Find an interseting CNAME: files.example.com → files.example.com.s3.amazonaws.com.
Check if the bucket exists:

aws s3 ls s3://files.example.com

If you see NoSuchBucket, proceed.

3. Create the bucket and upload a PoC:

aws s3 mb s3://files.example.com …

🧠 Pro Tip

Skip the extension — just come straight here.

We’ve built a fast, permanent tool you can bookmark and use anytime.

Go To Paywall Unblock Tool

Sign up for a free account and get the following:

Save articles and sync them across your devices

Get a digest of the latest premium articles in your inbox twice a week, personalized to you (Coming soon).

Get access to our AI features

Sign In With Google Sign Up With Email

Category: Cybersecurity

Tags: Bug Bounty Subdomain Takeover AWS S3 GitHub Pages Heroku

Open Archived Version

Save As Favorite

Add To Reading List

Share Article

Run Some AI Magic

Go To Original Article

Save articles to reading lists
and access them on any device

If you found this app useful,
Please consider supporting us.
Thank you!

Buy me a coffee!