Discover subdomains and check for dangling CNAME records pointing to unclaimed cloud services. Identifies potential subdomain takeover vulnerabilities across GitHub Pages, Heroku, S3, Netlify, Shopify, and 10+ other services.
Last updated:
A subdomain takeover occurs when a DNS CNAME record points to a third-party service that has been deprovisioned. Because the DNS record still exists but the service is unclaimed, an attacker can register the target service and serve arbitrary content on the victim's subdomain. This enables phishing, session hijacking via shared cookies, and reputational damage.
A subdomain takeover occurs when a subdomain's DNS CNAME record points to a third-party service (like GitHub Pages or Heroku) that the domain owner no longer controls. An attacker can claim the abandoned service and serve their own content on the victim's subdomain, enabling phishing, cookie theft, or reputation damage.
The scanner discovers subdomains via HackerTarget and Certificate Transparency logs, then resolves each subdomain's CNAME record via Cloudflare DNS-over-HTTPS. CNAMEs pointing to known cloud services (GitHub Pages, Heroku, S3, Netlify, etc.) are flagged. The tool then checks if the CNAME target actually resolves, as unresolvable targets indicate potential takeover.