How Hackers Find Subdomain Takeovers — The 15-Second Check That Pays $1,000

Mr Elite 18 min read
How Hackers Find Subdomain Takeovers — The 15-Second Check That Pays $1,000

Have you looked for subdomain takeovers in bug bounty?




How Hackers Find Subdomain Takeovers in 2026 :— A researcher runs three terminal commands on a Sunday afternoon. She finds that staging.company.com points to a GitHub Pages repository that no longer exists. She registers that repository, places a placeholder page on it, and submits a report. The bounty: $1,200. Total time: ten minutes. Subdomain takeover is one of the highest-effort-to-payout vulnerability classes in bug bounty because the check is fast, the vulnerability is widespread, and large companies routinely leave forgotten DNS records pointing to decommissioned cloud services. This article teaches the exact 15-second DNS check, which services to look for, how to automate across hundreds of subdomains, and how to write the report.

🎯 What You’ll Learn

Why subdomain takeovers happen — the dangling CNAME lifecycle
The 3-command, 15-second manual check that confirms any takeover
Which cloud services are vulnerable and how to verify with can-i-take-over-xyz
Automation with subfinder and subjack for large-scope programmes
Severity assessment and bug bounty reporting

⏱️ 30 min read · 3 exercises

📋 Subdomain Takeover 2026

  1. How Subdomain Takeovers Happen — The Dangling CNAME
  2. The 15-Second Check — 3 Commands
  3. Vulnerable Cloud Services in 2026
  4. Automation with subfinder and subjack
  5. Impact, Severity and Bug Bounty Payouts
  6. Reporting to Bug Bounty Programmes

How Subdomain Takeovers Happen — The Dangling CNAME

Every subdomain takeover follows the same lifecycle. A company creates a staging environment on Heroku, a documentation site on GitHub Pages, or a landing page on an AWS S3 static website. Their DNS admin creates a CNAME: staging.company.com CNAME acme-staging.herokuapp.com. Six months later, the project ends. A developer deletes the Heroku app. The DNS record is never removed — because removing a DNS record requires a separate ops ticket that nobody creates, and DNS record cleanup is nobody’s specific job.

The vulnerability persists silently. Visitors to staging.company.com follow the CNAME to acme-staging.herokuapp.com and receive Heroku’s “No such app” page. Anyone can create a new Heroku app named acme-staging and claim that subdomain name. Once they do, every visitor to staging.company.com receives whatever content they put there — served under the company’s legitimate domain, trusted by browsers, included in the company’s TLS certificate scope.

securityelites.com
Subdomain Takeover — Lifecycle from Deployment to Vulnerability
① DEPLOY:
staging.company.com CNAME acme.herokuapp.com → running app ✓
② DECOMMISSION:
Developer deletes app → DNS record forgotten (nobody’s job to remove)
③ DANGLING:
staging.company.com CNAME acme.herokuapp.com → NXDOMAIN
④ TAKEOVER:
Attacker registers “acme” on Heroku → staging.company.com now serves attacker content
⑤ IMPACT:
Phishing from trusted domain · cookie theft · OAuth abuse · all via company’s own subdomain

📸 The subdomain takeover lifecycle. The critical gap is between ② and ③ — the resource is gone but the DNS record persists, sometimes for years. The attacker’s action at ④ requires no exploitation of any code vulnerability: just registering a cloud resource whose name matches the orphaned CNAME target.

The 15-Second Check — 3 Commands

The manual subdomain takeover check is three commands run in sequence. Each gives definitive information. Together they take 15 seconds and produce the exact evidence needed for a bug bounty report.

THE 15-SECOND SUBDOMAIN TAKEOVER CHECK
# COMMAND 1: Find the CNAME record
dig staging.target.com CNAME
;; ANSWER SECTION:
staging.target.com. 300 IN CNAME acme-staging.herokuapp.com.
# Found a CNAME pointing to Heroku → check if that app exists
# COMMAND 2: Check if the CNAME target exists
dig acme-staging.herokuapp.com
;; status: NXDOMAIN
# ← NXDOMAIN = Heroku app does not exist = potentially vulnerable
# COMMAND 3: Confirm with HTTP fingerprint
curl -s https://staging.target.com | head -3
<html><body><h1>No such app</h1>
# “No such app” = Heroku confirmed the resource doesn’t exist
# VERIFY: cross-reference with can-i-take-over-xyz
# github.com/EdOverflow/can-i-take-over-xyz → search “heroku”
# Result: VULNERABLE — fingerprint “No such app” confirmed
# CONCLUSION: confirmed subdomain takeover opportunity — document and report

🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Run the 15-Second Check Against a Real Bug Bounty Target

⏱️ 15 minutes · Browser + terminal

Step 1: Find a programme with wildcard subdomain scope
Go to hackerone.com/programs or bugcrowd.com
Find any programme with “*.company.com” in scope.

Step 2: Enumerate subdomains passively via crt.sh
Go to: crt.sh
Search: %.company.com
This shows all SSL certificates issued for the domain.
List 5-10 interesting subdomains (staging, dev, docs, beta, test).

Step 3: Run the 3-command check on each
dig [subdomain].company.com CNAME
If a CNAME is found → dig [cname_target]
If NXDOMAIN → check HTTP fingerprint with curl

Step 4: Cross-reference with can-i-take-over-xyz
github.com/EdOverflow/can-i-take-over-xyz
Is the service listed as VULNERABLE?
What is the exact fingerprint string?

Step 5: Document any NXDOMAIN findings
Even if not on a live programme — record the subdomain,
CNAME target, NXDOMAIN confirmation, and HTTP response.
This is exactly the evidence a bug bounty report requires.

✅ What you just learned: crt.sh provides passive subdomain enumeration — no packets sent to the target, just reading public certificate transparency logs. The 3-command sequence produces report-ready evidence in seconds. The can-i-take-over-xyz cross-reference confirms whether the specific service allows registration without domain verification. Most mature programmes accept NXDOMAIN + fingerprint as sufficient proof without requiring you to actually register anything.

📸 Screenshot any NXDOMAIN result you find. Post to #subdomain-takeover on Discord.

Vulnerable Cloud Services in 2026

The authoritative reference is can-i-take-over-xyz — a community-maintained list tracking which services allow takeover, the fingerprint string to confirm the dangling state, and current vulnerability status. Services are marked Vulnerable, Needs verification, Not vulnerable, or Fixed as the landscape evolves.

Confirmed vulnerable services as of 2026 include GitHub Pages (fingerprint: “There isn’t a GitHub Pages site here”), Heroku (fingerprint: “No such app”), AWS S3 static website (fingerprint: “NoSuchBucket”), Fastly (fingerprint: “Fastly error: unknown domain”), Shopify (fingerprint: “Sorry, this shop is currently unavailable”), and Zendesk (fingerprint: “Help Center Closed”). Services that have added protections include Squarespace (requires domain verification before a CNAME takes effect) and most Azure services (additional owner-verification steps prevent direct takeover).

securityelites.com
Vulnerable Services — Fingerprints and CNAME Patterns
ServiceCNAME target patternHTTP FingerprintStatus
GitHub Pages*.github.io“There isn’t a GitHub Pages site here”Vulnerable
Heroku*.herokuapp.com“No such app”Vulnerable
AWS S3 Website*.s3-website*.amazonaws.com“NoSuchBucket”Vulnerable
Fastly*.global.fastly.net“Fastly error: unknown domain”Vulnerable
Azure (most)*.azurewebsites.netOwner verification requiredProtected
📸 Vulnerable services and their HTTP fingerprint strings. The fingerprint is the primary evidence in a bug bounty report alongside the NXDOMAIN DNS confirmation. Always check can-i-take-over-xyz for current status — services update their protections and new vulnerable services are added regularly.

Automation with subfinder and subjack

Manual checking works for small scopes. Large bug bounty programmes with hundreds of subdomains require automation. The standard workflow is subfinder for passive enumeration followed by subjack for automated CNAME takeover detection.

AUTOMATED SCANNING — SUBFINDER + SUBJACK
# Step 1: Passive subdomain enumeration
subfinder -d target.com -all -recursive -o subdomains.txt
Found 347 subdomains for target.com
# Step 2: Automated CNAME takeover detection
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
# Step 3: Review results
cat results.txt
[Vulnerable] staging.target.com – heroku
[Vulnerable] docs-old.target.com – github
# Step 4: Manually verify every Vulnerable finding
# Automated tools produce false positives
# Run the 3-command check on each before reporting

Finding Subdomains Other Hunters Miss: Most hunters use the same tools against the same targets. Two underused sources: (1) Wayback Machine — archive.org often contains references to staging URLs that never appeared in certificate transparency logs. (2) GitHub code search — engineers reference internal staging URLs in public READMEs and config files. These “known but unlisted” subdomains often have the oldest, most neglected DNS records — exactly the ones with dangling CNAMEs.

🧠 EXERCISE 2 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Assess the Severity of Three Subdomain Takeover Scenarios

⏱️ 10 minutes · No tools required

For each scenario, determine severity and maximum impact:

SCENARIO 1:
docs.company.com → CNAME → docs-company.github.io (NXDOMAIN)
Investigation: standalone documentation site.
No cookies from company.com scoped to docs.company.com.
Not referenced in any auth flow.
Severity? Maximum impact?

SCENARIO 2:
staging.company.com → CNAME → acme-staging.herokuapp.com (NXDOMAIN)
Investigation: company.com sets cookies with domain=”.company.com”
(leading dot — applies to ALL subdomains including staging).
Severity? Maximum impact?

SCENARIO 3:
auth-test.company.com → CNAME → auth-test.s3-website-us-east-1.amazonaws.com (NXDOMAIN)
Investigation: OAuth login at accounts.company.com has
redirect_uri=https://auth-test.company.com/callback whitelisted.
Severity? Maximum impact?

For each: write one sentence for the bug bounty report executive summary.
Estimate expected payout.

✅ ANSWER KEY — S1: Low-Medium. Phishing from trusted domain possible but no direct technical attack on app. Payout: $200–400. S2: Medium-High. Wide-scoped cookies (domain=.company.com) mean attacker can set session cookies via taken-over subdomain that are then sent to the main app. Session fixation possible. Payout: $500–1,500. S3: Critical. OAuth redirect_uri whitelist includes the taken-over subdomain — attacker can redirect authorization codes to their controlled endpoint, stealing auth codes and gaining full account access. Payout: $1,000–5,000+. Severity scales entirely with the trust relationship to the main application.

📸 Post your severity assessments with reasoning to #subdomain-takeover on Discord.

Impact, Severity and Bug Bounty Payouts

Subdomain takeover severity is determined entirely by the taken-over subdomain’s trust relationship with the main application. This relationship has three dimensions: cookie scope, OAuth configuration, and CORS policy. Understanding each dimension tells you exactly how severe a finding is before you even write the report.

Cookie scope. When the main application at company.com sets cookies with the attribute domain=".company.com" (note the leading dot), those cookies are scoped to all subdomains. An attacker who controls any subdomain — including a taken-over one — can issue Set-Cookie headers that browsers store and then send to the main company.com application on subsequent requests. This enables session fixation attacks: the attacker pre-sets a known session token via the taken-over subdomain, then tricks the victim into authenticating at the main application, at which point the victim’s authenticated session token matches the attacker’s pre-set token. Check for this by examining the Set-Cookie response headers from the main application: if the domain attribute includes a leading dot, all subdomains are in scope.

OAuth redirect_uri whitelist. OAuth 2.0 implementations protect against token theft by validating the redirect_uri parameter in authorization requests against a server-side whitelist. If a subdomain that has been taken over appears in this whitelist — for example, as a callback URL from a previous development environment — an attacker can craft an OAuth flow that redirects the user’s authorization code to their controlled endpoint. The attacker presents the stolen authorization code to the token endpoint and receives a valid access token. This is consistently the highest-severity subdomain takeover scenario. Check OAuth by examining the application’s authorization endpoint and looking for redirect_uri values referencing company subdomains.

CORS policy. Applications that include taken-over subdomains in their Cross-Origin Resource Sharing allowlist allow JavaScript from those subdomains to make credentialed cross-origin requests to the main application. An attacker who controls the subdomain can serve JavaScript that silently exfiltrates sensitive data from the main application whenever a victim visits the taken-over page. Check CORS by looking at the Access-Control-Allow-Origin response headers from the main API endpoints — if they include subdomains, takeover of any listed subdomain enables cross-origin data theft.

Expected payouts: completely isolated subdomain with no cookie, OAuth, or CORS relationship — $200–400 (Medium on most programmes). Subdomain with wide-scoped cookies or CORS inclusion — $500–1,500 (High). Subdomain in OAuth redirect_uri whitelist — $1,000–5,000+ (Critical on most programmes). The key factor is always: can an attacker use control of this subdomain to compromise the main application, or is it just an isolated phishing opportunity?

securityelites.com
Severity Matrix — Subdomain Trust Relationship vs Impact
Subdomain RoleTrust MechanismSeverityExpected Payout
OAuth callback subredirect_uri whitelistedCritical$1k–5k+
Cookie-scoped subdomain=”.company.com”High$500–1.5k
CORS-allowed subAccess-Control-Allow-OriginHigh$400–1k
Isolated docs/marketing subPhishing surface onlyLow–Medium$200–400
📸 Subdomain takeover severity matrix. The payout scales almost entirely with the trust relationship — not with the cloud service, the size of the company, or how long the CNAME has been dangling. An isolated staging subdomain with no cookies, no OAuth, and no CORS inclusion is Low-Medium regardless of how dramatically you demonstrate the takeover. An auth callback subdomain is Critical regardless of whether the company is a startup or a Fortune 500.

Advanced Techniques — Finding Subdomains Others Miss

The most competitive subdomain takeover hunters don’t just run subfinder and subjack. They use sources that most hunters ignore, dramatically increasing their hit rate on programmes that have already been heavily tested by automated tools.

Wayback Machine enumeration. The Internet Archive’s Wayback Machine indexes web content going back to the 1990s, including pages that referenced subdomains that never appeared in modern certificate transparency logs or DNS datasets. Old blog posts, press releases, API documentation, and product announcements frequently contain URLs like https://staging.company.com/preview or https://beta.company.com/signup that are not in any current enumeration tool’s database. Search for the target domain on web.archive.org and browse through historical captures to find these hidden subdomains. These old subdomains are often the most neglected — they were set up for a campaign in 2018, forgotten since 2019, and nobody has ever checked them for takeover vulnerabilities because they don’t appear in standard scans.

GitHub code search. Engineers frequently reference internal infrastructure URLs in public repositories — in README files, configuration examples, CI/CD pipeline definitions, and environment variable documentation. A GitHub search for "company.com" CNAME or site:github.com company.com staging can surface subdomain references that have never appeared in any public DNS dataset. Many of these are development and testing subdomains set up once for a specific sprint and never decommissioned.

Job postings and technical blogs. Engineers who write about their infrastructure architecture — on company engineering blogs, personal blogs, or conference talk write-ups — often mention specific internal subdomain patterns. “We use the pattern [service]-[environment].company.com for all our staging environments” in an engineering blog post tells you exactly where to look. Job postings that mention specific cloud services or infrastructure patterns can reveal what third-party platforms the company uses, helping you predict which CNAME patterns to look for before you even start scanning.

DNS zone walking for DNSSEC-enabled domains. Some domains that have DNSSEC enabled are vulnerable to zone walking — iterating through DNS records to enumerate all subdomains, similar to a full zone transfer. Tools like ldns-walk can attempt this for DNSSEC-signed zones. This is a passive technique that only works on misconfigured DNSSEC implementations, but when it does work, it produces a far more complete subdomain list than certificate transparency logs alone.

Reporting to Bug Bounty Programmes

A strong subdomain takeover report needs five pieces of evidence: the vulnerable subdomain URL, the dig CNAME output showing the dangling record, the dig NXDOMAIN output confirming the target is gone, the curl fingerprint output showing the platform’s error page, and the can-i-take-over-xyz reference confirming the service is known-vulnerable. This evidence set is sufficient for most mature programmes — you do not need to register anything to prove the vulnerability is real.

Common mistakes: submitting without NXDOMAIN confirmation, reporting subdomains outside the declared scope (always verify exact scope boundaries), and submitting subjack output without manual verification (false positives are common — always run the 3-command check manually before submitting).

🛠️ EXERCISE 3 — BROWSER ADVANCED (15 MIN)
Research Real Disclosed Reports and Estimate Your Expected Hourly Rate

⏱️ 15 minutes · Browser only

Step 1: Find 3 real subdomain takeover reports on HackerOne
Go to hackerone.com/hacktivity
Search: “subdomain takeover” or “dangling CNAME”
Find 3 publicly disclosed reports.
Note: service, payout, evidence provided (DNS only or PoC registration?).

Step 2: Check current vulnerable services on can-i-take-over-xyz
github.com/EdOverflow/can-i-take-over-xyz
Find 3 services you didn’t know were vulnerable.
Note each fingerprint string.
Which were recently added or updated?

Step 3: Estimate your expected hourly rate
Assumption: 100 subdomains checked per hour (manual + quick verify)
Assumption: 1 in 50 subdomains has a takeover
Assumption: average payout $600
Expected value per hour = ?
How does this compare to SQLi or XSS hunting?

Step 4: Find one uncommon service on can-i-take-over-xyz
Something most hunters overlook.
What is the CNAME pattern and fingerprint?

Step 5: Check one real programme’s subdomain policy
Read any large HackerOne programme’s policy carefully.
Does it require PoC registration or accept DNS evidence only?
Are staging/dev subdomains in or out of scope?

✅ What you just learned: Real HackerOne disclosures confirm these are paid, accepted findings — not theoretical. The expected-value calculation demonstrates why subdomain takeover scanning is attractive: at $600 average payout and 1/50 hit rate, that’s $1,200/hour from automated scanning plus manual verification. The policy research is critical — many hunters waste time on out-of-scope subdomains. The uncommon service research expands your detection coverage beyond the handful of services most hunters know.

📸 Screenshot one real disclosed HackerOne report showing payout. Post to #subdomain-takeover on Discord. Tag #takeover2026

⚠️ Scope and Authorisation: Passive enumeration via crt.sh and subfinder reads public data only — no requests to the target. However, registering a taken-over resource constitutes active exploitation. Some programmes prohibit any registration even as PoC. Always read the specific programme policy before registering anything. Submit DNS evidence first; register only if explicitly permitted and confirmed in writing.

🧠 QUICK CHECK — Subdomain Takeover

You find that api-legacy.target.com CNAME points to api-legacy.global.fastly.net which returns NXDOMAIN. The HTTP fingerprint shows “Fastly error: unknown domain”. Fastly is on can-i-take-over-xyz as Vulnerable. The programme policy says “submit with DNS evidence — PoC registration not required.” What do you submit?



📋 Subdomain Takeover Quick Reference 2026

dig [sub] CNAME → dig [target] → NXDOMAINThe 15-second check — 3 commands that confirm any takeover
curl [sub] | grep [fingerprint]Platform-specific error confirms resource is gone — key report evidence
can-i-take-over-xyzCross-reference to confirm the service allows takeover — include in every report
subfinder | subjackAutomation for large scopes — always manually verify before reporting
Severity: cookie scopedomain=”.company.com” on main app = cookies sent to taken-over sub = High
Severity: OAuth redirect_uriSub in whitelist = auth code theft = Critical · payout $1k–5k+

🏆 Mark as Read — Subdomain Takeover 2026

The 15-second check, automation workflow, and severity framework give you everything to find and report these vulnerabilities. Run subfinder. Check the CNAMEs. Follow the NXDOMAIN. Report what you find.


❓ Frequently Asked Questions — Subdomain Takeover 2026

What is subdomain takeover?
When a subdomain’s DNS CNAME points to a third-party service (GitHub Pages, Heroku, AWS S3) that has been removed, anyone can register that external resource and control what the subdomain serves. Visitors receive attacker content under the company’s legitimate domain.
How do you check for subdomain takeover in 15 seconds?
Three commands: (1) dig [sub] CNAME — find the CNAME target. (2) dig [target] — check for NXDOMAIN. (3) curl [sub] — confirm platform’s “resource not found” fingerprint. Cross-reference with can-i-take-over-xyz to confirm the service allows takeover.
Which services are vulnerable?
From can-i-take-over-xyz (2026): GitHub Pages, Heroku, AWS S3 static websites, Fastly, Shopify, Zendesk, Cargo and many others. Always check current status — protections are added and new vulnerable services discovered regularly.
What is the bug bounty payout?
$200–$5,000+ depending on severity. Isolated docs subdomain: $200–400. Cookie-scoped subdomain: $500–1,500. OAuth redirect_uri whitelist: $1,000–5,000+. Severity scales with trust relationship to the main application.
How do you automate subdomain takeover scanning?
subfinder -d target.com -all -o subs.txt for passive enumeration, then subjack -w subs.txt -t 100 -o results.txt -ssl for automated detection. Always manually verify every Vulnerable result before reporting — false positives are common.
Do you need to register the takeover to report it?
Usually no. DNS evidence (CNAME + NXDOMAIN + HTTP fingerprint) is accepted by most programmes. If registration is explicitly permitted in the programme policy, use a benign placeholder page only. Never register without explicit policy confirmation.
← Related

Subdomain Enumeration Tools 2026

Related →

Bug Bounty Mastery Course

📚 Further Reading

ME
Mr Elite
Owner, SecurityElites.com
The first subdomain takeover I found felt almost too easy. I ran subfinder against a large programme, piped to subjack, saw one Heroku flag, ran the 3-command check manually, confirmed the NXDOMAIN, submitted the report with the dig output and the “No such app” fingerprint screenshot. $800 bounty, two days later. The vulnerability had been sitting there for 18 months according to the Wayback Machine. The DNS record outlasted the engineer who created it, the project it was built for, and three product iterations. Nobody’s job to clean up DNS. Every large company has at least a few of these if you know where to look.

bug bounty hacking techniques cname misconfiguration exploit dangling cname vulnerability detect subdomain takeover dns takeover attack subdomain security vulnerabilities subdomain takeover 2026 subdomain takeover bug bounty
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *