How to find subdomain takeover vulnerability ?

Hey guys
Today we'll talk about subdomain takeover vulnerability
We will talk about how to find the vulnerability in all its forms and the tools used, but in terms of exploitation, we will explain the exploitation of the subdomain takeover heroku

Subdomain takeovers

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.

Domain name (e.g., uses a CNAME record to another domain (e.g., CNAME

At some point in time, expires and is available for registration by anyone.

Since the CNAME record is not deleted from DNS zone, anyone who registers has full control over until the DNS record is present.

Now let's talk about how I was able to find subdomain takeover vulnerability
First, I was invited to the Private Program on Bugcrowd
For example
First you should enumerate subdomains of the website
I recommend you to use Sublist3r

Second, after getting subdomains
We go to this tool that I advise you to use Subdomain takeover vulnerability checker subzy .

After downloading the tool if the program * you can use this command

if the program use

Subdomain takeover vulnerability checker

Then i go to vulnerable link

After we made sure that the subdomain is vulnerable . Now let's taveover this domain


1- create account in heroku website via

2-after login go to and create new app and set name for app .

3-go to settings

4- Add domain put vulnerable subdomain without “http:// or https://” i mean then Next

5- go to deploy then click on github to connect your account in github you must upload this file in your account download it

6- After uploading file and click on github put name of folder in your github account then connect .

for example if you make name of folder “ahmed” in search filed put it

your link >>>> xxx your name in github

7- go to Deploy a GitHub branch below and click Deploy branch and wait until it finish from Deploying

Now go to vulnerable subdomain link and reload page .

happy hacking

Don’t forget to follow me, I have more stories waiting for you, friend, to tell you