BIPI
BIPI

Subdomain Takeover Hunting: Provider Fingerprints and Race Conditions

Cybersecurity

Subdomain takeovers are still abundant because cloud retirement is messy. This guide covers provider fingerprints that flag candidates, the can-i-take-over-xyz workflow, race conditions during provider migrations, and how to demonstrate impact responsibly.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 23, 2023 · 9 min read

#subdomain-takeover#bug-bounty#dns#recon#cloud

The Takeover Setup

A subdomain points to a third-party service that no longer hosts content for it. If the attacker can claim that service slot, they control content under the target's domain, with the target's TLS and cookies attached.

Recon Workflow

  1. Enumerate subdomains with amass, subfinder, assetfinder
  2. Resolve and capture CNAMEs with dnsx
  3. Probe HTTP responses with httpx
  4. Match response bodies to known fingerprints with subjack or subzy

Provider Fingerprints to Know

  • GitHub Pages: 404 with There isn't a GitHub Pages site here
  • Heroku: no-such-app.herokuapp.com response page
  • AWS S3: NoSuchBucket XML response
  • Azure: 404 with web app name not found
  • Fastly: Fastly error: unknown domain

The can-i-take-over-xyz repository maintains the canonical list with current status. Read it before claiming a takeover, some fingerprints look exploitable but the provider has closed the gap.

Race Conditions in Migrations

When a target migrates from one provider to another, the DNS may flip before the new origin is configured. A small window opens where the old provider still resolves and the new one is empty. Monitoring with dnsx every few minutes can catch it.

Wildcard Pitfalls

A wildcard A record covers every subdomain. If a specific CNAME points elsewhere but the wildcard catches the takeover candidate, the fingerprint may not show. Always check explicit records and wildcard fallback separately.

Proving Impact Without Crossing the Line

Claim the provider slot with a minimal payload, a static HTML page proving you control the origin. Do not collect cookies, do not phish. Most programs accept a screenshot of the claimed page with a unique string.

Beyond HTML Takeover

  • Cookie scope abuse from .target.com cookies on a takeover subdomain
  • CORS configurations that trust *.target.com
  • OAuth redirect_uri wildcards that now point to attacker content
  • Email reputation and SPF passthrough

Edge Cases Worth Hunting

  • NS record pointing to an unregistered nameserver
  • MX record pointing to a defunct email provider
  • TXT record referencing a third-party verification that has rotated

Tooling Summary

  • subjack and subzy for automated detection
  • nuclei templates for takeover signatures
  • dnsx and httpx for fast resolution
  • can-i-take-over-xyz for provider state
Subdomain takeover is recon and patience. The hunters who watch domains over weeks find what one-shot scanners miss.

Closing

Cloud sprawl creates takeovers faster than companies retire them. The hunters who automate recon and check fingerprints daily own this category.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.