
"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Can I take over XYZ?

What is a sub-domain takeover?

Subdomain takeover vulnerabilities occur when a subdomain (subdomain.example.com) is pointing to a service (e.g. GitHub pages, Heroku, etc.) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that subdomain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.

You can read up more about subdomain takeovers here: https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/.

Safely Demonstrating a Subdomain takeover

Claim the subdomain discreetly and serve a harmless file on a hidden page. Do not serve content on the index page. A good proof of concept could consist of an HTML comment served via a random path:

$ cat aelfjj1or81uegj9ea8z31zro.html
<!-- PoC by username -->


Engine Possible Fingerprint Reference
AWS/S3 Yes The specified bucket does not exist
Bitbucket Yes Repository not found
Campaign Monitor Yes Support Page
Cargo Collective Yes 404 Not Found Cargo Support Page
Cloudfront Yes Bad Request: ERROR: The request could not be satisfied https://blog.zsec.uk/subdomainhijack/
Desk Yes Sorry, We Couldn't Find That Page
Fastly Yes Fastly error: unknown domain:
Feedpress Yes The feed has not been found. https://hackerone.com/reports/195350
Freshdesk No Freshdesk Support Page
Ghost Yes The thing you were looking for is no longer here, or never was
Github Yes There isn't a Github Pages site here. https://hackerone.com/reports/263902
Gitlab No https://hackerone.com/reports/312118
Google Cloud Storage No
Help Juice Yes We could not find what you're looking for. Help Juice Support Page
Help Scout Yes No settings were found for this company: HelpScout Docs
Heroku Yes No such app
JetBrains Yes is not a registered InCloud YouTrack
Mashery Yes Unrecognized domain https://hackerone.com/reports/275714
Microsoft Azure Yes
Sendgrid No
Shopify Yes Sorry, this shop is currently unavailable.
Squarespace No
Statuspage Yes You are being redirected https://hackerone.com/reports/49663
Surge.sh Yes project not found https://surge.sh/help/adding-a-custom-domain
Tumblr Yes Whatever you were looking for doesn't currently exist at this address
Unbounce Yes The requested URL was not found on this server. https://hackerone.com/reports/202767
UserVoice Yes This UserVoice subdomain is currently available!
Wordpress Yes Do you want to register *.wordpress.com?
WP Engine No
Zendesk Yes Help Center Closed Zendesk Support


Cargo Collective

Answer: Yes ✔️

Look for: 404 Not Found

Reference: http://support.2.cargocollective.com/Using-a-Third-Party-Domain

Help Juice

Answer: Yes ✔️

Look for: 4o’4! We could not find what you're looking for.

Reference: https://help.helpjuice.com/34339-getting-started/custom-domain


Answer: Yes ✔️

Look for a 404 page and either an A record pointing to or, or a CNAME record for username.github.io. The latter requires owning the GitHub handle so navigate to github.com/username to make sure that the username has not already been registered.

Reference: https://hackerone.com/reports/263902


Answer: No ❎

GitLab require a text record with a verification token in order to set the custom domain. This was fixed as a result of https://hackerone.com/reports/312118.


Answer: Yes ✔️

If a domain has a CNAME record for *.s3.amazonaws.com and is returning NoSuchBucket, then all you need to do is to create a bucket with that name. You will need an AWS account, however, you can use the free tier which is more than enough for a PoC. You can then upload a simple txt file at a random path as a proof of concept.


Answer: Yes ✔️

When it comes to Cloudfront subdomain takeovers always check both ports 80 and 443. The error message "Bad Request" must be displayed on both ports to ensure that one can claim it on AWS.

If you find a domain that displays this error message, try adding that domain as CNAME to your CloudFront instance on http://aws.amazon.com/ .

Reference: https://blog.zsec.uk/subdomainhijack/


Answer: Yes ✔️

Reference: https://hackerone.com/reports/49663

Help Scout

Answer: Yes ✔️

Reference: https://docs.helpscout.net/article/42-setup-custom-domain

Campaign Monitor

Answer: Yes ✔️

Reference: https://help.campaignmonitor.com/custom-domain-names

WP Engine

Answer: No ❎

Microsoft Azure

Answer: Yes ✔️

Azure can host various services: Web Apps (*.azurewebsites.net), Cloud Services (*.cloudapp.net), Traffic Manager profiles (*.trafficmanager.net) or Blob Storages (*.blob.core.windows.net) to name a few. In general, once a service is removed it's address will become available to others.

Note: For Web Apps, if the subdomain points to Azure using an A record the takeover might not be possible if the corresponding TXT record is missing (see https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain.)

To create a service an account at https://portal.azure.com is needed (a valid CC is required once the trial expires).


Answer: Yes ✔️


Answer: Yes ✔️

Subdomains can be taken over if the root domain doesn't already belong to a Fastly account.


Answer: Yes ✔️

Check the CNAME record. If it's pointing at *.herokuapp.com, and is returning "No such app", then all you need to do is to create a new app on Heroku with that name.


Answer: Yes ✔️

Check for an A record pointing to with a subsequent 'Not found.' on the page's title or a 'There's nothing here.' on the page itself.

Google Cloud Storage

Answer: No ❎

Google requires domain verification in order to claim domains for Google Cloud Storage.


Answer: Yes ✔️

Look for the following message:

"Domain mapping upgrade for this domain not found"


Answer: Yes ✔️

Look for the following error message and make sure the host has a CNAME pointing to redirect.feedpress.me:

"The feed has not been found"

Reference: https://hackerone.com/reports/195350


Answer: No ❎

Squarespace requires domain verification and doesn't allow claiming expired domains.

Reference: https://support.squarespace.com/hc/en-us/articles/205812378-Connecting-a-domain-to-your-Squarespace-site


Answer: Yes ✔️

A vulnerable UserVoice instance will return the error message seen below:

"This UserVoice subdomain is currently available!"

Reference: https://hackerone.com/reports/269109


Answer: Yes ✔️

Look for: Oops, this help center no longer exists

Reference: https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping-


Answer: Yes ✔️

This one is a little tricky since you need to pay for the service in order to register a custom domain.

Reference: https://hackerone.com/reports/202767


Answer: Yes ✔️

The host will either have a CNAME record pointing to na-west1.surge.sh or an A record for

Reference: https://surge.sh/help/adding-a-custom-domain


Answer: No ❎

Reference: https://support.freshdesk.com/support/solutions/articles/37590-using-a-vanity-support-url-and-pointing-the-cname


Answer: Yes ✔️

The host should have CNAME record pointing to Mashery.

Reference: https://hackerone.com/reports/275714


Answer: Yes ✔️

The host should have CNAME record pointing to *.ghost.io, also it costs $20 to host.


Answer: Yes ✔️

Similar to Github, the CNAME record will be pointing at *.bitbucket.io.


Answer: No ❎

Sendgrid generates a verification token that mitigates subdomain takeovers.

Reference: https://sendgrid.com/docs/Classroom/Basics/Whitelabel/setup_domain_whitelabel.html


Answer: Yes ✔️

CNAME record will be pointing to *.desk.com, and will redirect to this page: http://support.desk.com/system/site_not_found


Answer: Yes ✔️

CNAME record will be pointing to *.myjetbrains.com, and will redirect to this page: https://www.jetbrains.com/youtrack/youtrack-hosted-master/instanceIsNotRegistered/*