Threats & Research

Subdomain takeover – Chapter one: Methodology

CyStack image

Trung Nguyen

CEO @CyStack|April 5, 2023
Subdomain takeover - Chapter one: Methodology

Subdomain takeover is a high severity vulnerability that can be exploited to take control of a domain and pointing it to an address managed by attackers. Attacks on this vulnerability are often used for the purpose of creating phishing sites, spreading malwares. However, subdomain takeover is not a new vulnerability, it may be published from the year of 2014.

On the last weekend of October, I spent some time coding exploits to find major websites that could be affected by the vulnerability. The results were very unexpected, I found more than 200 domains affected by the vulnerability just in 2 days. These domains belongs to big technology, finance companies and major newspapers. I suppose that I should share my discoveries with subdomain takeover, so this series will show my perspective, how do I find out vulnerable websites and how to exploit them, on a case by case basis.

Domains and IP addresses

To begin with, let’s talk about a typical example. You own a domain and a server with the IP address Now you would like to point your domain to this IP address?

Normally, your DNS providers offer several ways to do this, including:

  • Using A or AAAA records
  • Using CNAME records
  • Using extra records like ALIAS or URL records

We will look into the details in each of these ways

Using A or AAAA records

This is the most common way, almost everyone who works with domain names has ever used this method. We will have to enter a host and a value as the domain name and the IP respectively.


  • @ used to point a root domain ( to the IP address
  • xxx used to point a sub-domain ( to the IP address
  • A records are for IPv4, while AAAA records are for IPv6
Using A/AAAA records

Using CNAME records

A/AAAA records is a direct solution for the domain name resolution. However, in some cases this method will cause annoyance, for example:

  • You own 100 subdomains ( , and all of them are pointed to the IP One day, you changed the host and the IP is changed to Would you update the A record for 100 sub-domains?
  • You are using a 3rd party service to create a landing page for your advertising campaign. This partner created a site with domain However, you wouldn’t like to use this domain, simply because it is unfamiliar to your customers. How to point your own domain to

You can use CNAME records for these cases. CNAME is the most well known way to “symlink” one DNS record to another. It works by answering queries asking for the Source with a simple referral (by domain name) to the Target, which may be anywhere else on the internet.

For example 1, we will need to point subdomain to the destination IP by using the A record, then point 99 other sub-domains to by using the CNAME record. Later, if the destination IP is changed, we will just need to update the A record of

For example 2, we will need to point the CNAME of to

The biggest problem with CNAME is that it cannot be used for a root domain, but only sub-domains.


Using CNAME records

Using ALIAS and URL Redirect Records

These are records not in the DNS RFC, so they are only supported by certain DNS providers. ALIAS is a pseudo-record that works like a CNAME but can be used for both the root domain and sub-domains. The URL Redirect record is used to redirect a domain to another URL/domain name.

Subdomain takeover attack

The goal of this attack is to point a victim’s domain to an attacker’s address. This is closely related to the domain resolutions I have described above. In the case of using A/AAAA records for the resolution, it’s not worth mentioning but the remaining cases have weaknesses.

Let’s look at a scenario as follows:

  • You own
  • points to by using a CNAME record

In order to control the content of, we have to control the content of This is possibile, if:

  • is an expired domain -> Buy this domain
  • belongs to an Internet service and it allows to create a sub-domain like if that name is available. You can find out many serives having that feature such as Github, Heroku, Amazon S3, Shopify, etc.


Sub-domain takeover

I did not think this attack was effective until I proceeded to find the subdomains of many big firms and checked the feasibility of the attack. As I said at the beginning, the results are verysurprising. One of them are, but subdomain takeover vulnerability is considered as out-of-scope of their bug bounty programs so I was only acknowledged in their Hall of Fame.

The method I used was:

  • Find all subdomains from a domain by using SubStack
  • Check the exploitable signature of sub-domains found. I have used signs published here as well as my own techniques.

In the next article, I will present more specific cases that I have successfully exploited.

Related posts

Flash Loan Attack
Flash Loan Attack
June 27 2022|Threats & Research

Mở đầu Flash Loan Attack là một hình thức tấn công DeFi đã xuất hiện từ lâu, gây ra rất nhiều thiệt hại cho các nền tảng DeFi. Tính từ đầu năm 2022 đến nay, đã có nhiều cuộc tấn công dựa trên hình thức này, điển hình như các cuộc tấn công nhắm đến […]

Cuộc tấn công vào ONUS – Góc nhìn kỹ thuật từ lỗ hổng Log4Shell
Cuộc tấn công vào ONUS – Góc nhìn kỹ thuật từ lỗ hổng Log4Shell
April 5 2023|Threats & Research

Read the English version here Log4Shell hiện đang là một cơn ác mộng (có lẽ là tồi tệ nhất cho tới thời điểm hiện tại) đối với nhiều doanh nghiệp. Không may thay, ONUS, một trong số những khách hàng của chúng tôi, đã trở thành nạn nhân của lỗ hổng này. Với tư cách […]

The attack on ONUS – A real-life case of the Log4Shell vulnerability
The attack on ONUS – A real-life case of the Log4Shell vulnerability
April 5 2023|Threats & Research

Đọc bản tiếng Việt tại đây Log4Shell has recently been a nightmare (probably the worst one for now) to businesses. ONUS, a client of ours, was an unfortunate victim. As their security partner, CyStack informed ONUS of the risks right after Log4Shell came to light; when the attack actually happened, we supported them in finding […]