CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Subdomain Takeover

security CWE-350 OWASP A5:2021 CVSS 8.1 Intermediate
debt(d5/e3/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list specialist tools subjack, can-i-take-over-xyz, and dnsx — these are purpose-built scanners, not default linters or compiler checks. Dangling DNS records are invisible in normal operation and won't surface without dedicated tooling or a deliberate audit process.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is to audit all CNAME records and remove those pointing to deprovisioned services. This is a targeted DNS-level cleanup — more than a single-line patch since it requires identifying and removing multiple records across a DNS zone, but it doesn't require touching application code across multiple files. Establishing an ongoing audit process adds modest organisational overhead but is still localised.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). The applies_to is 'any' context, meaning every cloud service decommissioning event across the organisation carries this risk. Without a DNS inventory and audit process, subdomains accumulate over years (per common_mistakes), creating a persistent operational tax on every infrastructure change. It doesn't reshape every line of code, but it burdens every deprovisioning workflow.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception states developers believe only high-traffic subdomains matter, but an attacker controlling any subdomain can set cookies for the parent domain, bypass CORS/CSP wildcard policies, and run phishing under the brand. This is a widely held wrong belief — the blast radius is far larger than most developers intuit, and the impact extends across the entire domain, not just the taken-over subdomain.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

dangling DNS subdomain hijacking DNS takeover

TL;DR

A DNS entry points to an unclaimed external service, allowing an attacker to register that service and control the subdomain.

Explanation

Subdomain takeover occurs when a DNS CNAME record points to a third-party platform (GitHub Pages, Heroku, AWS S3, etc.) and the target resource has been deprovisioned without removing the DNS record. An attacker who registers the now-available resource on that platform gains control over the subdomain, enabling phishing, cookie theft (if the subdomain shares a parent domain cookie), and content injection. Prevention: always delete DNS records before deprovisioning services, and perform regular DNS audits.

Common Misconception

Subdomain takeover only matters for high-traffic subdomains. An attacker controlling any subdomain of your domain can set cookies for the parent domain, run convincing phishing pages under your brand, and bypass CORS and CSP policies that trust *.yourdomain.com.

Why It Matters

A subdomain pointing to a deprovisioned cloud resource (S3 bucket, Heroku app, GitHub Pages) can be claimed by an attacker — they then serve content on your domain, enabling phishing and cookie theft.

Common Mistakes

  • Not removing DNS records when deprovisioning cloud resources — the CNAME remains pointing at nothing.
  • No DNS audit process — subdomains accumulate over years with no inventory.
  • Not monitoring for dangling DNS records — tools like aquatone detect these automatically.
  • Forgetting that subdomains can read cookies set on the parent domain — a takeover affects the whole domain.

Avoid When

  • Never leave CNAME records pointing to decommissioned Heroku, S3, GitHub Pages, or Azure endpoints — they are claimable by anyone.
  • Do not delay DNS cleanup after retiring a service — dangling records can be exploited within minutes of resource deletion.

When To Use

  • Audit DNS records whenever decommissioning a service — remove CNAME records pointing to deleted cloud resources immediately.
  • Use automated tools (SubFinder, can-i-take-over-xyz) to detect dangling DNS records in CI or periodic scans.

Code Examples

✗ Vulnerable 
# Dangling CNAME — subdomain takeover risk:
# DNS: staging.example.com CNAME myapp-staging.herokuapp.com
# Heroku app deleted — CNAME still exists
# Attacker creates Heroku app at same hostname
# staging.example.com now serves attacker content
# Fix: remove DNS record when deprovisioning any cloud resource
✓ Fixed 
# Dangling CNAME → unclaimed service = subdomain takeover
# staging.yourapp.com CNAME → yourapp.github.io (page deleted)
# Attacker claims yourapp.github.io → controls staging subdomain

# Prevention:
# 1. Remove DNS records BEFORE deprovisioning the service
$ dig staging.yourapp.com CNAME
# Verify you still own the pointed resource

# 2. Automate with subjack in CI:
$ subjack -w subdomains.txt -t 100 -o results.txt

# 3. Check can-i-take-over-xyz list for vulnerable providers:
# https://github.com/EdOverflow/can-i-take-over-xyz

# 4. For GitHub Pages, S3, Heroku:
# Delete DNS record first, then deprovision the service
Added 15 Mar 2026
Edited 31 Mar 2026
Views 27

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 3 pings T 0 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Perplexity 4 SEMrush 3 Ahrefs 2 ChatGPT 2 Google 1
Also referenced
Information Disclosure 56 Insecure Cookie 24
How they use it
crawler 21 crawler_json 1
Related categories
security 4.6k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Audit all DNS CNAME records and remove any pointing to deprovisioned services; use a tool like subjack or can-i-take-over-xyz to scan
📦 Applies To
any any
🔗 Prerequisites
🔍 Detection Hints
CNAME DNS record pointing to unclaimed cloud service (Heroku GitHub Pages S3 bucket Fastly endpoint)
Auto-detectable: ✓ Yes subjack can-i-take-over-xyz dnsx
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-350
✓ schema.org compliant