Subdomain Takeover at Scale: Automating Discovery
Subdomain takeover vulnerabilities occur when an organization abandons a cloud resource but fails to remove its DNS record, leaving a dangling CNAME or NS record pointing to a deprovisioned service. Attackers can claim the orphaned resource, effectively hijacking the subdomain to serve malicious content, intercept cookies, or bypass CSP policies.
The DNS Enumeration Pipeline
SecRecon's subdomain discovery engine combines multiple data sources to build a comprehensive attack surface map. The pipeline begins with passive sources: certificate transparency logs (CRT.sh, Censys), DNS zone transfers where permitted, and passive DNS aggregators (VirusTotal, SecurityTrails). Active enumeration follows using wordlists optimized for cloud services: AWS (s3-, ec2-, elasticbeanstalk-), Azure (blob.core.windows.net, azurewebsites.net), and GCP (storage.googleapis.com, run.app).
# Dangling record detection logic
async def detect_takeover_candidate(subdomain):
try:
answers = await dns.resolver.resolve(subdomain, 'CNAME')
for rdata in answers:
target = rdata.target.to_text()
# Check for known vulnerable cloud patterns
if any(pattern in target for pattern in VULNERABLE_PATTERNS):
# Verify if target is claimable
status = await check_provisioned_status(target)
if status == 'UNCLAIMED':
return {
'subdomain': subdomain,
'cname': target,
'severity': 'CRITICAL',
'service': classify_cloud_provider(target)
}
except NXDOMAIN:
# Check for dangling NS records
return await check_ns_takeover(subdomain)Automated Verification
Distinguishing between a deprovisioned resource and a simply unreachable one requires protocol-specific checks. For AWS S3 buckets, we issue a ListBuckets request; for GitHub Pages, we check the repository existence API; for Heroku, we probe the app metadata endpoint. Each cloud provider has distinct error signatures — NXDOMAIN on the target, 404 NoSuchBucket for S3, or repository not found for GitHub Pages.
"In a 30-day scan of Fortune 500 domains, we identified 147 dangling CNAME records, 23 of which were immediately claimable. The median time-to-discovery for these vulnerabilities was 14 months after resource deprovisioning."
Remediation and Monitoring
Remediation requires DNS hygiene discipline: maintain an asset inventory mapping DNS records to provisioned resources, implement deletion workflows that validate DNS cleanup, and use infrastructure-as-code (Terraform, CloudFormation) where DNS and resource lifecycle are coupled. For monitoring, we recommend continuous scanning with alerting thresholds — any subdomain resolving to a 404 bucket or NXDOMAIN target should trigger immediate security review.
SecRecon's takeover detection module runs daily against configured domains, integrating with Slack and PagerDuty for real-time alerting. The tool is open-sourced under MIT license with support for custom wordlists, rate-limited scanning, and JSON/CSV export formats for vulnerability management platforms.