Subdomain takeover due to misconfigured project settings

Hi readers,
Today I will write about Subdomain takeover. It’s a common Security issue that is actually a developers mistake when they left an Unused/unclaimed 3rd party Service DNS CNAME record for a subdomain of theirs and Hackers can claim those subdomains with the help of external services, it pointing to what could lead to serious issues. You can learn more about Subdomain takeover from detectify blog.While testing I got a domain what is under flock company. So I started looking at its subdomains and got the subdomain and when I visited the subdomain in the browser I got an error like the below screenshot

Project doesn't exist error
Project doesn’t exist error

This took my attention . So I checked the DNS record for this domain .

$ dig; <<>> DiG 9.10.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
; EDNS: version: 0, flags:; udp: 512
; IN A;; ANSWER SECTION: 299 IN CNAME 299 IN CNAME 59 IN A 59 IN A;; Query time: 69 msec
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From the above record, we can say the subdomain is pointing to CNAME So I start looking at custom domain documents on the website to understand how they work. From their document, I understand that

  • You need a subdomain pointing to your subdomain like
  • Your subdomain should be configured in domains settings on the following page<project_Name>/v1.0/domains

So to take over I need to check if is already claimed or not. But Unfortunately, it was already claimed 🙁. But I have seen many such services don’t force users to verify their ownership of domains by using the same CNAME txt record as their service subdomain. So still there’s hope.I opened an account in and I got a subdomain Then I go to domains settings and in Custom Domain Field used as value and save changes.Now when I visited It redirected me to this page what saying now that Not Yet Active

Subdomain Takeover by Prial P0C
Subdomain Takeover by Prial P0C

This is showing as I am using a trial account. In the webpage title above screenshot, you will see the project name that I used while creating the project. So now this domain is serving my contents from project page.

How to avoid such issues?: Always update your DNS records. remove CNAME or any other DNS records what is not in use.If you find a security vulnerability feel free to contact them via [email protected]

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *