Subdomain takeovers is a high risk vulnerability that negatively impacts businesses, but if found, can result in big rewards for a bug bounty program. If you pay attention to Bugcrowd’s Vulnerability Rating Taxonomy (which I highly suggest you check it out) subdomain takeovers are listed as a P3. I’ve even worked on a bug bounty program that will pay different amounts for a subdomain takeover depending on the impact to the business. Let’s take a look at how I enumerate this process.

Get Your Subdomains Together

You should have a list of subdomains on your target from the reconnaissance portion of your workflow. If you’re new to the idea of enumerating subdomains, check out my article on how I enumerate subdomains. At this point, the target’s subdomains have been enumerate, sorted, and verified with a program like httpx to see if they are live or not. Sometimes you can find subdomains in your recon that are not still active or live, so verification is always important. Now that you’ve got your list, let’s check out how to see if any of them may be vulnerable.

Subdominator

I’ve used a few different tools to check for subdomain takeovers, but by far my favorite has been Subdominator. This tool was developed by Stratus Security to provide a solution for slow wait times on…