Top 25 Subdomain Takeover Bug Bounty Reports

In this article, we will discuss the Subdomain Takeover attack, and present 25 disclosed reports based on this flaw.

What is a Subdomain Takeover Vulnerability?

Theoretically, a Subdomain Takeover flaw is when an attacker can hijack the subdomain of a company, and control what content is being displayed when the users are navigating to that one.

Practically, you can do a Subdomain Takeover through hacking or registration of an existing DNS CNAME record of that subdomain.

Let’s take the following example:

1. We have the domain “xyz.com” with the subdomain “victim.xyz.com”.
2. The “victim.xyz.com” subdomain has a CNAME record that is pointing to another domain called “promotional-campaign-xyz.com”.
3. You find that “promotional-campaign-xyz.com” expired and you are able to purchase it.
4. Once you get “promotional-campaign-xyz.com” in your control, you will have a page displaying any arbitrary content you want, that will be displayed once a user accesses “victim.xyz.com”.

My Favorite Scenario: Subdomain Takeover through Cloud Services