June 30, 2026
Subdomain Takeover β Claiming Forgotten Assets
Whatβs up everyone! Nitin here π

By Nitin yadav
2 min read
Subdomain takeover is one of the most satisfying bugs to find β you literally claim a piece of a company's domain for yourself. And it all comes back to that recon work we did earlier. Let me explain.
The Idea In Simple Terms
Companies create subdomains that point to OTHER services β like blog.target.com pointing to a hosting service, or shop.target.com pointing to a store platform.
Sometimes they stop using that service but FORGET to remove the pointer. So blog.target.com is still pointing at... nothing. An empty, unclaimed spot on that hosting service.
And here's the magic: if YOU go to that hosting service and claim that empty spot, now blog.target.com shows YOUR content. You've taken over their subdomain. π³
Why It's Dangerous
Think about it. You now control a page on the company's OWN trusted domain. You can:
- Host a convincing phishing page (it's on the real domain!)
- Steal cookies scoped to that domain
- Damage their reputation
- Bypass security that trusts their own subdomains
That's why programs pay well for these.
The Tell-Tale Sign
When you visit a vulnerable subdomain, you often see a specific error message from the hosting service β stuff like "There's no such app," "NoSuchBucket," "domain not configured," or a generic "page not found" from a known platform. That error is the service saying "this spot is empty and unclaimed." π©
How To Hunt It
- Do your subdomain enumeration β get the full list
- Check which subdomains point to external services (look at their DNS CNAME records)
- Visit them β look for those tell-tale "unclaimed" error pages
- Cross-check with a list of fingerprints (the
can-i-take-over-xyzproject on GitHub is the bible for this) - Tools like
subzy,nuclei(takeover templates), andsubjackautomate the detection
The Ethical Line (Important!)
When you find one, you usually just need to prove you COULD claim it β like showing the service would let you register that spot, or putting up a harmless proof page with your name. Don't host anything malicious. Don't actually phish anyone. Prove it minimally, report it, done. π‘οΈ
My Honest Tip
This is a numbers game that rewards good recon. The more subdomains you enumerate, the more likely you'll find a forgotten one. Run takeover checks as a routine part of every recon session β it's mostly automated, and every now and then it just hands you a clean, high-value bug.
Next post: CORS misconfigurations β when websites trust the wrong friends.
Claim the forgotten! π΄