Subdomain Takeover occurs when a subdomain's DNS record points to an external service that no longer claims that slot. The subdomain is left dangling — pointing at nothing — and anyone who registers the unclaimed slot on the provider inherits full control over the subdomain.

##Think of it like a phone number that was disconnected. If the telecom re-issues it to someone new, all calls to the old owner now reach a stranger — under the same number the victim trusts.

How It Works — DNS Deep Dive:

Company creates shop.company.sa → CNAME → company.saas-provider.com

SaaS contract ends. Tenant deleted — but DNS record remains.

Slug is unclaimed: shop.company.sa → ... → 0.0.0.0

Attacker registers the slug. Attacker IP now resolves under the company's trusted domain.

The 0.0.0.0 resolution is the fingerprint — it confirms the tenant slug has been released by the provider.

The Finding:

None

Attack Scenario — Kill Chain:

None

impact:

  • Phishing pages under a legitimate, trusted domain
  • Cookie theft scoped to.company.sa
  • XSS chains against sibling subdomains
  • Zero detection — no logs, no alerts on the company side

Tools & Methodology:

None

Remediation:

Immediate: Remove the dangling CNAME from DNS if the SaaS integration is inactive

High: Run automated dangling CNAME audits weekly across all DNS zones

Medium: Contact the SaaS provider to confirm the slug cannot be re-registered

Medium: Tag all CNAME records with provider name and provisioning state

"A failed HTTP request is not always the end of the story — sometimes it is the beginning of one."

DNS is not a passive record system. It is an active attack surface. Treat it accordingly.

Majid Aljuhani | SAP Basis Security Administrator · Bug Bounty Researcher

Subdomain Takeover occurs when a subdomain's DNS record points to an external service that no longer claims that slot. The subdomain is left dangling — pointing at nothing — and anyone who registers the unclaimed slot on the provider inherits full control over the subdomain.