Top 25 Subdomain Takeover Bug Bounty Reports

Cristian Cornea
4 min readMar 15, 2022

In this article, we will discuss the Subdomain Takeover attack, and present 25 disclosed reports based on this flaw.

What is a Subdomain Takeover Vulnerability?

Theoretically, a Subdomain Takeover flaw is when an attacker can hijack the subdomain of a company, and control what content is being displayed when the users are navigating to that one.

Practically, you can do a Subdomain Takeover through hacking or registration of an existing DNS CNAME record of that subdomain.

Let’s take the following example:

  1. We have the domain “xyz.com” with the subdomain “victim.xyz.com”.
  2. The “victim.xyz.com” subdomain has a CNAME record that is pointing to another domain called “promotional-campaign-xyz.com”.
  3. You find that “promotional-campaign-xyz.com expired and you are able to purchase it.
  4. Once you get “promotional-campaign-xyz.com” in your control, you will have a page displaying any arbitrary content you want, that will be displayed once a user accesses “victim.xyz.com”.

My Favorite Scenario: Subdomain Takeover through Cloud Services

--

--

Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | SectionX.io | BSides Transylvania