How To find Subdomain Takeover

Security Sphinx
3 min readApr 28


What is subdomain Takeover

When attackers gain complete control of their target subdomain this happens when the CNAME of the subdomain is miss config.

How can you identify it?

There is a municipal way to take over a subdomain it depends on which kind of service they are using or whether it is Vulnerable or not. there is a very famous GitHub repository that helps me to find sub-domain takeover. It is can-i-take-over-XYZ it provides a lot of information you need to confirm whether we can take over the subdomain or not.

How to find the subdomain Takeover

When we are done with our Recon we have a lot of subdomains to check wheatear we can take over those subdomains or not to check on it We are going to use tools such as Subjack, sub404, and Tko-subs. to check if we can find any Potential subdomain takeover but using this tool you can save time and check fast on all of the subdomains But I think you are going to find duplicates a lot of time. so I suggest you make your script I know it is hard but after making your script you are going to find fewer duplicates and more bounty.

My Experience

It is just a story of yesterday when I am doing bug bounty on Target after competing with my Recon on it. I checked all screens short of subdomain by gowitness. I found some interesting subdomains screen short. In that, I found a very interesting error It was a Fastly error

By looking that that error it tells me to check if this domain is added to the service or not. after doing some research on this I come to know that error is occupied when the domain is not listed on the service of Fastly. then I go to fastly make an account on it and go to create a delivery service and add that domain in the field of domain and click on add but unfortunately, it gives me the domain is already taken by another customer.

I was a little bit sad at that point but always check if a subdomain is in the control of the owner or not. Do not just report after finding a simple error.

Thank you for reading, and I look forward to sharing my knowledge with you all.



Security Sphinx

I am a beginner pen tester and bug bounty hunter. Passionate about cybersecurity and always learning to stay up-to-date. #HackerOne #Bugcrowd.