How to find subdomain takeover vulnerability ?

Hey guys
Today we'll talk about subdomain takeover vulnerability
We will talk about how to find the vulnerability in all its forms and the tools used, but in terms of exploitation, we will explain the exploitation of the subdomain takeover heroku

Subdomain takeovers

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.

Domain name (e.g., sub.example.com) uses a CNAME record to another domain (e.g., sub.example.com CNAME anotherdomain.com).

At some point in time, anotherdomain.com expires and is available for registration by anyone.

Since the CNAME record is not deleted from example.com DNS zone, anyone who registers anotherdomain.com has full control over sub.example.com until the DNS record is present.

Now let's talk about how I was able to find subdomain takeover vulnerability
First, I was invited to the Private Program on Bugcrowd
For example
https://www.target.com
First you should enumerate subdomains of the website
I recommend you to use Sublist3r

https://github.com/aboul3la/Sublist3r

Second, after getting subdomains
We go to this tool that I advise you to use Subdomain takeover vulnerability checker subzy .

https://github.com/LukaSikic/subzy

After downloading the tool if the program *.target.com you can use this command

if the program xxx.target.com use

Subdomain takeover vulnerability checker

Then i go to vulnerable link http://community.target.com

After we made sure that the subdomain is vulnerable . Now let's taveover this domain

Exploitation:-

1- create account in heroku website via https://signup.heroku.com/login

2-after login go to https://dashboard.heroku.com/apps and create new app and set name for app .

3-go to settings

4- Add domain put vulnerable subdomain without “http:// or https://” i mean community.target.com then Next

5- go to deploy then click on github to connect your account in github you must upload this file in your account download it https://github.com/blackangl1/subdomain-takeover-

6- After uploading file and click on github put name of folder in your github account then connect .

for example if you make name of folder “ahmed” in search filed put it

your link https://github.com/xxx/ahmed >>>> xxx your name in github

7- go to Deploy a GitHub branch below and click Deploy branch and wait until it finish from Deploying

Now go to vulnerable subdomain link and reload page .

happy hacking

Don’t forget to follow me, I have more stories waiting for you, friend, to tell you

Bye