Subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service that has been decommissioned or never fully configured, and an attacker registers the same resource on that external service to gain control of the subdomain. The attacker can then serve arbitrary content on a subdomain belonging to the target organization, inheriting the trust associated with the parent domain.
How It Works
Organizations frequently use third-party services for hosting landing pages, blogs, documentation, support portals, and other content, pointing subdomains like blog.example.com to these services via CNAME records. When the organization cancels the service or changes providers without removing the DNS record, the CNAME becomes a dangling reference pointing to an unclaimed resource.
An attacker discovers these dangling records through DNS enumeration and subdomain scanning during reconnaissance. They then sign up on the target service provider and claim the same resource name that the CNAME points to. Once configured, any request to blog.example.com resolves through the CNAME to the service where the attacker now controls the content. The attacker can serve phishing pages, host malware, or steal cookies scoped to the parent domain.
The threat is amplified because browsers treat the attacker's content as belonging to the legitimate domain. If cookies are scoped to .example.com, the attacker's takeover of blog.example.com allows them to read and set cookies for the entire domain, potentially enabling session hijacking on the main application. The legitimate SSL certificate for the subdomain can often be obtained through automated certificate authorities that validate domain control via DNS.
Why It Matters
Subdomain takeover combines low exploitation difficulty with high impact. The attacker operates under the organization's domain name, inheriting user trust and browser security policies. Regular DNS auditing and decommissioning procedures that remove DNS records before canceling external services are essential preventive measures. Security assessments include subdomain enumeration specifically because dangling DNS records are common and the takeover process is straightforward.
Need your application tested? Get in touch.