
Subdomain Takeover Vulnerability
Subdomain takeover is a high security vulnerability that infect many websites. Subdomain takeover caused by unclaimed CNAME record in third party web applications. Many companies use third party such as Zendesk, Mailgun, Bitly, AWS and more, and when they not use that anymore, sys admin forgot to remove CNAME which pointed to that third party or sevices. Then attacker can takeover the subdomain easily without any authentication.
You can check subdomain takeover vulnerability manually by digging into dns informations, you can check this lists of vulnerable service for subdomain takeover. And also you can automated subdomain takeover check with tools. There is a lot of tools to scan subdomain takeover vulnerability, one of them is Subzy.
Subzy
Subdomain takeover tool which works based on matching response fingerprints from can-i-take-over-xyz.
Requirement
- Golang
Installation
If $GOBIN
and $GOPATH
are properly set, execute the program by typing this command on terminal:
If you get an error exec format error: ./subzy
, you need to install Golang for your OS and compile the program by running go build subzy.go
which will generate new subzy
binary file.
Options
Only required flag is either --target
or --targets
--target
(string) – Set single or multiple (comma separated) target subdomain/s--targets
(string) – File name/path to list of subdomains--concurrency
(integer) – Number of concurrent checks (default 10)--hide_fails
(boolean) – Hide failed checks and invulnerable subdomains (default false)--https
(boolean) – Use HTTPS by default if protocol not defined on targeted subdomain (default false)--timeout
(integer) – HTTP request timeout in seconds (default 10)--verify_ssl
(boolean) – If set to true, it won’t check site with invalid SSL
Usage
Target subdomain can have protocol defined, if not http://
will be used by default if --https
not specifically set to true.
- List of subdomains
./subzy -targets list.txt
- Single or multiple targets
./subzy -target test.google.com
./subzy -target test.google.com,https://test.yahoo.com