Post cover image

June 30, 2026

Subdomain Takeover β€” Claiming Forgotten Assets

What’s up everyone! Nitin here πŸ‘‹

By Nitin yadav

2 min read

Subdomain takeover is one of the most satisfying bugs to find β€” you literally claim a piece of a company's domain for yourself. And it all comes back to that recon work we did earlier. Let me explain.

The Idea In Simple Terms

Companies create subdomains that point to OTHER services β€” like blog.target.com pointing to a hosting service, or shop.target.com pointing to a store platform.

Sometimes they stop using that service but FORGET to remove the pointer. So blog.target.com is still pointing at... nothing. An empty, unclaimed spot on that hosting service.

And here's the magic: if YOU go to that hosting service and claim that empty spot, now blog.target.com shows YOUR content. You've taken over their subdomain. 😳

Why It's Dangerous

Think about it. You now control a page on the company's OWN trusted domain. You can:

  • Host a convincing phishing page (it's on the real domain!)
  • Steal cookies scoped to that domain
  • Damage their reputation
  • Bypass security that trusts their own subdomains

That's why programs pay well for these.

The Tell-Tale Sign

When you visit a vulnerable subdomain, you often see a specific error message from the hosting service β€” stuff like "There's no such app," "NoSuchBucket," "domain not configured," or a generic "page not found" from a known platform. That error is the service saying "this spot is empty and unclaimed." 🚩

None

How To Hunt It

  1. Do your subdomain enumeration β€” get the full list
  2. Check which subdomains point to external services (look at their DNS CNAME records)
  3. Visit them β€” look for those tell-tale "unclaimed" error pages
  4. Cross-check with a list of fingerprints (the can-i-take-over-xyz project on GitHub is the bible for this)
  5. Tools like subzy, nuclei (takeover templates), and subjack automate the detection

The Ethical Line (Important!)

When you find one, you usually just need to prove you COULD claim it β€” like showing the service would let you register that spot, or putting up a harmless proof page with your name. Don't host anything malicious. Don't actually phish anyone. Prove it minimally, report it, done. πŸ›‘οΈ

My Honest Tip

This is a numbers game that rewards good recon. The more subdomains you enumerate, the more likely you'll find a forgotten one. Run takeover checks as a routine part of every recon session β€” it's mostly automated, and every now and then it just hands you a clean, high-value bug.

Next post: CORS misconfigurations β€” when websites trust the wrong friends.

Claim the forgotten! 🏴