Subzy – Subdomain Takeover Vulnerability Tool

Subzy - Subdomain Takeover Vulnerability Scan Tool

Subdomain Takeover Vulnerability

Subdomain takeover is a high security vulnerability that infect many websites. Subdomain takeover caused by unclaimed CNAME record in third party web applications. Many companies use third party such as Zendesk, Mailgun, Bitly, AWS and more, and when they not use that anymore, sys admin forgot to remove CNAME which pointed to that third party or sevices. Then attacker can takeover the subdomain easily without any authentication.

You can check subdomain takeover vulnerability manually by digging into dns informations, you can check this lists of vulnerable service for subdomain takeover. And also you can automated subdomain takeover check with tools. There is a lot of tools to scan subdomain takeover vulnerability, one of them is Subzy.

Subzy

Subdomain takeover tool which works based on matching response fingerprints from can-i-take-over-xyz.

Requirement

  • Golang

Installation

go get -u -v github.com/lukasikic/subzy go install -v github.com/lukasikic/[email protected]

If $GOBIN and $GOPATH are properly set, execute the program by typing this command on terminal:

subzy

If you get an error exec format error: ./subzy, you need to install Golang for your OS and compile the program by running go build subzy.go which will generate new subzy binary file.

Options

Only required flag is either --target or --targets

  • --target (string) – Set single or multiple (comma separated) target subdomain/s
  • --targets (string) – File name/path to list of subdomains
  • --concurrency (integer) – Number of concurrent checks (default 10)
  • --hide_fails (boolean) – Hide failed checks and invulnerable subdomains (default false)
  • --https (boolean) – Use HTTPS by default if protocol not defined on targeted subdomain (default false)
  • --timeout (integer) – HTTP request timeout in seconds (default 10)
  • --verify_ssl (boolean) – If set to true, it won’t check site with invalid SSL

Usage

Target subdomain can have protocol defined, if not http:// will be used by default if --https not specifically set to true.

  • List of subdomains
    • ./subzy -targets list.txt
  • Single or multiple targets
    • ./subzy -target test.google.com
    • ./subzy -target test.google.com,https://test.yahoo.com

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

18 + ten =