Subdomain Takeover

Subdomain takeover occurs when a DNS record (typically a CNAME) points to an external service (like GitHub Pages, Heroku, AWS S3, or Azure) that has been decommissioned but the DNS record remains. An attacker can register the abandoned resource on the external service, effectively taking control of the subdomain and serving arbitrary content under the target organization's domain.

This is particularly dangerous because the attacker controls a subdomain of a trusted organization, enabling convincing phishing attacks, cookie theft (if the parent domain's cookies are scoped to all subdomains), and bypass of CORS or CSP policies that trust the organization's domain.

Organizations with many subdomains and frequent infrastructure changes are most at risk. Common targets include staging environments, marketing microsites, and deprecated services that were set up and forgotten.

How APVISO tests for this: APVISO's recon agent enumerates subdomains and checks each one for dangling DNS records pointing to unclaimed external services. It validates takeover potential by checking service-specific error pages that indicate the resource is available for registration.