takeoverlisted

Subdomain takeover playbook — sweep subdomains for dangling CNAMEs / NS records pointing at unclaimed third-party resources (GitHub Pages, S3, Heroku, Azure, Netlify, Shopify, ...), confirm with the engine's HTTP fingerprint, then prove impact by claiming the resource in scope. Use when enumerating subdomains for dangling CNAME/NS records pointing at unclaimed third-party services.
Wulan234/agent · ★ 0 · AI & Automation · score 75

Install: claude install-skill Wulan234/agent

# Subdomain takeover playbook A subdomain points (via CNAME, NS, or an A record on a shared host) at a third-party service. The resource on that service was deleted, expired, or never claimed — but the DNS record still exists. An attacker registers the same resource on the provider and serves arbitrary content on the victim's hostname. Severity is usually **high** to **critical** because the takeover puts the attacker inside the victim's origin (cookie scope, CSP allowlists, OAuth `redirect_uri` allowlists, SAML SP entity IDs, email DKIM/SPF includes, ...). > Stay in scope. Only test takeovers against domains the program > explicitly authorizes. A successful takeover *is* serving content on > someone else's host — drop a benign HTML file (`takeover proof for > <handle>, contact <email>`) and stop. Execution rule: operate on real subdomains and provider fingerprints from the scoped program. Never write literal placeholders such as `<provider>`, `<handle>`, or `<email>` to files; ask once for proof text if a provider requires a claim page. ## 1. Enumerate every subdomain Use whatever recon you have. Curl-first sources you can hit without extra tooling: ```sh # CT logs via crt.sh curl -s 'https://crt.sh/?q=%25.target.example.com&output=json' \ | jq -r '.[].name_value' | sed 's/^\*\.//' | sort -u > subs.txt # Anubis-DB curl -s 'https://jldc.me/anubis/subdomains/target.example.com' \ | jq -r '.[]' >> subs.txt # Hackertarget (rate-limited) curl -s 'https://api.hackertar