$100-$1000 Worth Subdomain Takeover | Easy Bounty Methodology | by It4chis3c | Apr, 2025 | InfoSec Write-ups

This article provides a step-by-step guide on how to find and exploit subdomain takeover vulnerabilities for bug bounty hunting, focusing on AWS S3, GitHub Pages, and Heroku.
AI Summary available — skim the key points instantly. Show AI Generated Summary
Show AI Generated Summary

Practical & Step-by-Step guide to find Subdomain Takeover Vulnerability

Friend Link | Free Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Credit: Gemini | Imagen 3

Step-by-Step Process

Step 1: Recon

Collect subdomains (you can use more tools if you want to discover more subdomains)

subfinder -d example.com -silent | anew subs.txt  amass enum -passive -d example.com | anew subs.txt

Errors to look for majorly:

AWS S3: NoSuchBucket error in response.

GitHub Pages: 404 There isn't a GitHub Pages site here.

Heroku: No such app error.

cat subs.txt | dnsx -cname -resp | grep -iE 's3|github|heroku' > cnames.txt

Step 2: Are all errors really exploitable?

Here’s how I filter:

  1. Check for “dangling” CNAMEs:

If dev.example.com → dev-example.herokuapp.com but Heroku says “No such app”, It’s a vulnerability.

Visit the CNAME directly (e.g., dev-example.herokuapp.com). If it’s dead, you can claim it.

2. Avoid False Positives:

Some services show 404s but aren’t claimable (e.g., Shopify). Use can-i-take-over-xyz to check.

Step 3: Claiming the Subdomain

Let’s use an example: AWS S3 -

  1. Find an interseting CNAME: files.example.com → files.example.com.s3.amazonaws.com.
  2. Check if the bucket exists:
aws s3 ls s3://files.example.com

If you see NoSuchBucket, proceed.

3. Create the bucket and upload a PoC:

aws s3 mb s3://files.example.com …

Was this article displayed correctly? Not happy with what you see?

See Archived Versions Request Manual Review
Category: Cybersecurity
Tags: Bug Bounty Subdomain Takeover AWS S3 GitHub Pages Heroku
Tabs Reminder: Tabs piling up in your browser? Set a reminder for them, close them and get notified at the right time.

If you often open multiple tabs and struggle to keep track of them, Tabs Reminder is the solution you need. Tabs Reminder lets you set reminders for tabs so you can close them and get notified about them later. Never lose track of important tabs again with Tabs Reminder!

Try our Chrome extension today!

Add to Chrome

Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Twitter/X
WhatsApp
Facebook
Save articles to reading lists
and access them on any device
Sign In With Google

Share this article with your
friends and colleagues.
Earn points from views and
referrals who sign up.
Learn more

Twitter/X
WhatsApp
Facebook
Save articles to reading lists
and access them on any device
Sign In With Google