Subdomain Takeover vulnerability and how to find it using a simple technique
Introduction :
In this article, I’ll be diving into the world of subdomain takeover and exploring how to find subdomain takeover vulnerabilities in a simple way.
Subdomain Takeover :
A subdomain of the company is pointing to a third-party service with a name that is not registered. If you can create an account in this third-party service and register the name as being in use, you can perform the subdomain takeover.
Checking for Subdomain Takeover Vulnerabilities :
Nuclei is an open-source project that provides a framework for fast and customizable vulnerability scanning. It includes a variety of templates for identifying vulnerabilities in web applications, including takeover templates that can be used to identify subdomain takeover vulnerabilities.
$ subfinder -dL domains.txt | httpx -silent > subdomains.txt ; nuclei -t ~/.local/nuclei-templates/http/takeovers/ -l subdomains.txt
It seems that now we are able to take over the subdomain that already pointed to an unregistered web service on the “strikingly” web hosting 3rd-party.
