Subdomain Takeover

Subdomain Takeover Detector

"Detects dangling DNS records pointing to deleted or expired external services."

What it does

Subdomain takeover is a critical vulnerability where a DNS record (usually a CNAME) points to an external service — an S3 bucket, a GitHub Pages site, a Heroku app, a Fastly endpoint — that has since been deleted. An attacker can claim that external service and now controls what subdomain.example.com serves.

This affects major organizations regularly. A deleted Heroku app, an archived GitHub Pages repository, an abandoned Azure endpoint — if the DNS record still points to it, the subdomain is vulnerable. This tool checks each target against dozens of known-vulnerable service fingerprints.

Example findings

CRITICALSubdomain Takeover — shop.example.com → Shopify (unclaimed)takeover

CRITICALSubdomain Takeover — docs.example.com → GitHub Pages (deleted)takeover

HIGHPotential Takeover — assets.example.com → S3 (bucket deleted)takeover

HIGHPotential Takeover — app.example.com → Heroku (app removed)takeover

← Back to all tools ▶ Scan with Subdomain Takeover

What it finds

▸Dangling CNAMEs to AWS S3 (unclaimed buckets)
▸Dangling CNAMEs to GitHub Pages (deleted repositories)
▸Dangling CNAMEs to Heroku (deleted apps)
▸Dangling CNAMEs to Azure (deleted endpoints)
▸Dangling CNAMEs to Fastly, Shopify, Zendesk, Ghost, and 50+ others

Works well with

Subfinder →DNS Recon →