Subdomain Takeover
Subdomain takeover occurs when DNS records point to deprovisioned external services that attackers can claim. If a CNAME or A record points to a cloud service, GitHub Pages, Heroku app, or other platform that no longer has your account associated, an attacker can register that resource and serve content from your subdomain.
Why It Matters
Attackers can serve malicious content from your trusted subdomain, steal cookies set for parent and sibling domains, bypass same-origin policy controls, and conduct highly convincing phishing attacks using your brand's domain. A single dangling DNS record can compromise your entire user base.
How We Check
We check CNAME and A records pointing to external platforms and test for unclaimed resource indicators — HTTP 404s with platform-specific error messages, 'NoSuchBucket' responses from S3, GitHub Pages 404 pages, Heroku error pages, and similar signals that indicate the resource is claimable.
How to Fix
Remove DNS records for decommissioned services before canceling the associated service accounts. Regularly audit all subdomains for dangling CNAMEs. When deprovisioning cloud resources, always remove the DNS record first — then delete the cloud resource. Use a subdomain inventory spreadsheet or automated monitoring to catch new risks.
Related Security Checks
Check Your Website Now
Run a free security scan to check for Subdomain Takeover issues and 62+ other security vulnerabilities.
Scan Your Website Free