Subdomain Takeover vulnerability and how to find it using a simple technique

Abd El Rahman Ezzat
2 min readMay 23, 2023

Introduction :

In this article, I’ll be diving into the world of subdomain takeover and exploring how to find subdomain takeover vulnerabilities in a simple way.

Subdomain Takeover :

A subdomain of the company is pointing to a third-party service with a name that is not registered. If you can create an account in this third-party service and register the name as being in use, you can perform the subdomain takeover.

Subdomain Takeover

Checking for Subdomain Takeover Vulnerabilities :

Nuclei is an open-source project that provides a framework for fast and customizable vulnerability scanning. It includes a variety of templates for identifying vulnerabilities in web applications, including takeover templates that can be used to identify subdomain takeover vulnerabilities.

$ subfinder -dL domains.txt | httpx -silent > subdomains.txt ; nuclei -t ~/.local/nuclei-templates/http/takeovers/ -l subdomains.txt

It seems that now we are able to take over the subdomain that already pointed to an unregistered web service on the “strikingly” web hosting 3rd-party.