Subdomain Takeover Vulnerability
Subdomain takeover is a high security vulnerability that infect many websites. Subdomain takeover caused by unclaimed CNAME record in third party web applications. Many companies use third party such as Zendesk, Mailgun, Bitly, AWS and more, and when they not use that anymore, sys admin forgot to remove CNAME which pointed to that third party or sevices. Then attacker can takeover the subdomain easily without any authentication.
You can check subdomain takeover vulnerability manually by digging into dns informations, you can check this lists of vulnerable service for subdomain takeover. And also you can automated subdomain takeover check with tools. There is a lot of tools to scan subdomain takeover vulnerability, one of them is Subzy.
Subdomain takeover tool which works based on matching response fingerprints from can-i-take-over-xyz.
$GOPATH are properly set, execute the program by typing this command on terminal:
If you get an error
exec format error: ./subzy, you need to install Golang for your OS and compile the program by running
go build subzy.go which will generate new
subzy binary file.
Only required flag is either
--target(string) – Set single or multiple (comma separated) target subdomain/s
--targets(string) – File name/path to list of subdomains
--concurrency(integer) – Number of concurrent checks (default 10)
--hide_fails(boolean) – Hide failed checks and invulnerable subdomains (default false)
--https(boolean) – Use HTTPS by default if protocol not defined on targeted subdomain (default false)
--timeout(integer) – HTTP request timeout in seconds (default 10)
--verify_ssl(boolean) – If set to true, it won’t check site with invalid SSL
Target subdomain can have protocol defined, if not
http:// will be used by default if
--https not specifically set to true.
- List of subdomains
./subzy -targets list.txt
- Single or multiple targets
./subzy -target test.google.com
./subzy -target test.google.com,https://test.yahoo.com