Hi everyone, I found a subdomain takeover recently on Dell, and I wanted to write a write-up of it. I hope you enjoy it!

First of all, I chose a bounty program. Then, as usual, I started with a subdomain scan. I scanned all the subdomains using subfinder. The scan finished, and I probed the output using httpx. I separated live and dead subdomains then started my research by checking for subdomain takeovers.


Subdomain takeover is the process of registering a non-existing domain name to gain control over another domain. It generally occurs when there is a domain name (e.g. using a CNAME record to another domain (e.g. CNAME At some point, expires and is available for registration by anyone. If the CNAME record is not deleted from the DNS zone, anyone who registers to has full control over until the DNS record is present.

Since you get a basic understanding of subdomain takeover vulnerability and impact of it, we can now skip to how to find a subdomain takeover, and how I found one.

Subdomain takeover is only possible on dead subdomains because the flaw occurs when an expired subdomain’s CNAME records are not deleted. So we can ignore the live subdomains. We need to check every dead subdomain. We can do it manually, or we can use a script that automates the process for us. I’m going to show you both two methods.


First things first we need to see every dead subdomain and their CNAME records. We can use a simple command to do that: dig. You can use it like the following:

Dig Results

The output of this command is important and we are going to use that later. And we need to see the responses they return. We can use a browser to do it, but there are tools that take screenshots of the subdomains we specify, like aquatone. Since we can see the contents of dead subdomains, we need to see if the subdomain returns a custom error message or something else. If it returns an error message, we are going to use the error message and the ( in this situation) that we have seen in the output of the dig command and learn that if it is possible to takeover a subdomain. You can use can-i-take-over-xyz.


The method and process are the same, but tools can do all the process instead of us. I used a tool called subjack which is written in golang and is really fast. You can download it from here: subjack.

Once I found the bug, I skipped to the Proof of Concept to write and submit my report.


After finding a subdomain with a Heroku app in its dig results, I visited the page which led me to the following error page:

Heroku Error Message

(This is not the same error page that I encountered but I forgot to take a screenshot since I was in a hurry to report it :) )

Then I visited can-i-take-over-xyz and looked to the engine column and found Heroku with the error message it returns, “app not found”. It was the same error as I saw in the dead subdomain.

Later, I visited the official website of Heroku engine and tried to take the subdomain over. And I was successful doing it :) To proof it, I left a little message on the subdomain:

Proof of Concept

I tried to tell you about how I found a subdomain takeover vulnerability on Dell as much as I could. Thank you for reading it :)

My Twitter:

Web Application Security Researcher |