Subdomain Takeover

Severity: Medium to Critical

return home


Subdomain takeover vulnerabilities occur when a subdomain ( is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing, and claim is a subdomain pointing to a GitHub page. If someone deletes and forgets to remove the DNS entry pointing to this page, then you could serve content on

Hackers commonly use subdomain scraping and brute-forcing tools such as Sublist3r to find all the subdomains of a target. They will then check the DNS records and/or use a screen-shot script to detect vulnerable subdomains. A subdomain pointing to a GitHub page returning a 404, may be an indicator that it can be claimed on GitHub.

GitHub 404 page

Security Impact

A successful subdomain takeover enables an attacker to serve content on the subdomain. If the subdomain is a child domain of the service’s basename, then the attacker can read and set cookies on the basename too – can set cookies for

Here is a real-world case of a subdomain takeover performed by Frans Rosén on

Subdomain takeover by Frans Rosén

As you can see in the screenshot, Frans served a page on a hidden path (login123) instead of serving content on the landing page. It is best practice to do this so that you do not damage the company’s image.


Make sure to remove the DNS entry on the subdomain pointing to the deleted service to ensure that nobody can take it over.

return home | suggest changes