Top 25 Subdomain Takeover Bug Bounty Reports

In this article, we will discuss the Subdomain Takeover attack, and present 25 disclosed reports based on this flaw.

What is a Subdomain Takeover Vulnerability?

Theoretically, a Subdomain Takeover flaw is when an attacker can hijack the subdomain of a company, and control what content is being displayed when the users are navigating to that one.

Practically, you can do a Subdomain Takeover through hacking or registration of an existing DNS CNAME record of that subdomain.

Let’s take the following example:

1. We have the domain “xyz.com” with the subdomain “victim.xyz.com”.
2. The “victim.xyz.com” subdomain has a CNAME record that is pointing to another domain called “promotional-campaign-xyz.com”.
3. You find that “promotional-campaign-xyz.com” expired and you are able to purchase it.
4. Once you get “promotional-campaign-xyz.com” in your control, you will have a page displaying any arbitrary content you want, that will be displayed once a user accesses “victim.xyz.com”.

My Favorite Scenario: Subdomain Takeover through Cloud Services

I would like to mention one of my favorite scenarios of Subdomain Takeover, which is basically hijacking the CNAME records that are pointing to different Cloud-related services, such as Traffic Manager from Azure.

A list of domains related to Azure services that are suspected of being vulnerable is the following:

*.cloudapp.net
*.cloudapp.azure.com
*.azurewebsites.net
*.blob.core.windows.net
*.cloudapp.azure.com
*.azure-api.net
*.azurehdinsight.net
*.azureedge.net
*.azurecontainer.io
*.database.windows.net
*.azuredatalakestore.net
*.search.windows.net
*.azurecr.io
*.redis.cache.windows.net
*.azurehdinsight.net
*.servicebus.windows.net
*.visualstudio.com

You can find more services like that by taking a look over this GitHub repository: