avatarCristian Cornea

Summary

The provided content discusses subdomain takeover vulnerabilities, detailing 25 bug bounty reports with insights into the attack vector, particularly through cloud services, and lists potential vulnerable Azure domains.

Abstract

The article delves into the concept of subdomain takeover attacks, where an attacker can hijack a subdomain and control the displayed content. It explains the process using a practical example involving an expired domain and its CNAME record. A particular focus is placed on subdomain takeovers through cloud services, with a list of Azure-related domains that may be susceptible to such attacks. The article also references a GitHub repository for further information on this topic. It highlights the top 25 bug bounty reports related to subdomain takeovers, sourced from the HackerOne platform, emphasizing the severity and financial impact of these vulnerabilities as evidenced by the bounties paid, which range from 500 to 8,000. The reports include various companies, with Starbucks being a recurring target, and underscore the importance of securing subdomain DNS configurations to prevent unauthorized takeovers.

Opinions

  • The author appears to have a keen interest in subdomain takeover vulnerabilities, especially through cloud services, suggesting a preference or expertise in this area.
  • The mention of a GitHub repository indicates a community-driven approach to identifying and mitigating subdomain takeover risks, highlighting the collaborative nature of cybersecurity research.
  • The selection of the top 25 reports based on upvotes, bounty amount, severity, complexity, and uniqueness suggests a curated list that values both the technical aspects and the practical impact of the vulnerabilities.
  • The repeated targeting of Starbucks' subdomains could imply either a broader attack surface for the company or a more active engagement in bug bounty programs compared to other entities.
  • The author's recommendation of an AI service at the end of the article implies a belief in the value of cost-effective, advanced AI tools for cybersecurity tasks, indicating an endorsement of such technologies in the field.

Top 25 Subdomain Takeover Bug Bounty Reports

In this article, we will discuss the Subdomain Takeover attack, and present 25 disclosed reports based on this flaw.

What is a Subdomain Takeover Vulnerability?

Theoretically, a Subdomain Takeover flaw is when an attacker can hijack the subdomain of a company, and control what content is being displayed when the users are navigating to that one.

Practically, you can do a Subdomain Takeover through hacking or registration of an existing DNS CNAME record of that subdomain.

Let’s take the following example:

  1. We have the domain “xyz.com” with the subdomain “victim.xyz.com”.
  2. The “victim.xyz.com” subdomain has a CNAME record that is pointing to another domain called “promotional-campaign-xyz.com”.
  3. You find that “promotional-campaign-xyz.com expired and you are able to purchase it.
  4. Once you get “promotional-campaign-xyz.com” in your control, you will have a page displaying any arbitrary content you want, that will be displayed once a user accesses “victim.xyz.com”.

My Favorite Scenario: Subdomain Takeover through Cloud Services

I would like to mention one of my favorite scenarios of Subdomain Takeover, which is basically hijacking the CNAME records that are pointing to different Cloud-related services, such as Traffic Manager from Azure.

A list of domains related to Azure services that are suspected of being vulnerable is the following:

*.cloudapp.net
*.cloudapp.azure.com
*.azurewebsites.net
*.blob.core.windows.net
*.cloudapp.azure.com
*.azure-api.net
*.azurehdinsight.net
*.azureedge.net
*.azurecontainer.io
*.database.windows.net
*.azuredatalakestore.net
*.search.windows.net
*.azurecr.io
*.redis.cache.windows.net
*.azurehdinsight.net
*.servicebus.windows.net
*.visualstudio.com

You can find more services like that by taking a look over this GitHub repository:

Top 25 Subdomain Takeover Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: Multiple Subdomain takeovers via unclaimed instances

Company: Starbucks

Bounty: $8,000

Link: https://hackerone.com/reports/276269

#2

Title: Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com

Company: Uber

Bounty: $5,000

Link: https://hackerone.com/reports/219205

#3

Title: Subdomain takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com

Company: Starbucks

Bounty: $4,000

Link: https://hackerone.com/reports/383564

#4

Title: Subdomain takeover on http://fastly.sc-cdn.net/

Company: Snapchat

Bounty: $3,000

Link: https://hackerone.com/reports/154425

#5

Title: Subdomain Takeover to Authentication bypass

Company: Roblox

Bounty: $2,500

Link: https://hackerone.com/reports/335330

#6

Title: Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com

Company: Uber

Bounty: $2,250

Link: https://hackerone.com/reports/149679

#7

Title: Subdomain takeover of mydailydev.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/570651

#8

Title: Subdomain takeover of d02–1-ag.productioncontroller.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/661751

#9

Title: Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/186766

#10

Title: Subdomain takeover on svcgatewayus.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/325336

#11

Title: Subdomain takeover of datacafe-cert.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/665398

#12

Title: Subdomain takeover on wfmnarptpc.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/388622

#13

Title: Subdomain takeover on developer.openapi.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/275714

#14

Title: Possible subdomain takeover at openapi.starbucks.com

Company: Starbucks

Bounty: $2,000

Link: https://hackerone.com/reports/241503

#15

Title: URGENT — Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS

Company: Twitter

Bounty: $1,680

Link: https://hackerone.com/reports/32825

#16

Title: Subdomain takeover of storybook.lystit.com

Company: Lyst

Bounty: $1,000

Link: https://hackerone.com/reports/779442

#17

Title: Hacker.One Subdomain Takeover

Company: HackerOne

Bounty: $1,000

Link: https://hackerone.com/reports/159156

#18

Title: Subdomain takeover at info.hacker.one

Company: HackerOne

Bounty: $1,000

Link: https://hackerone.com/reports/202767

#19

Title: Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com

Company: Grab

Bounty: $1,000

Link: https://hackerone.com/reports/352869

#20

Title: Subdomain takeover #2 at info.hacker.one

Company: HackerOne

Bounty: $1,000

Link: https://hackerone.com/reports/209004

#21

Title: Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront

Company: Uber

Bounty: $1,000

Link: https://hackerone.com/reports/175070

#22

Title: Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry

Company: Ubiquiti Inc.

Bounty: $1,000

Link: https://hackerone.com/reports/145224

#23

Title: Subdomain Takeover using blog.greenhouse.io pointing to Hubspot

Company: Greenhouse.io

Bounty: $1,000

Link: https://hackerone.com/reports/38007

#24

Title: Bulgaria — Subdomain takeover of mail.starbucks.bg

Company: Starbucks

Bounty: $1,000

Link: https://hackerone.com/reports/736863

#25

Title: Subdomain takeover of resources.hackerone.com

Company: HackerOne

Bounty: $500

Link: https://hackerone.com/reports/863551

Bonus: 10 Zero Dollars Subdomain Takeover Reports

#1

Title: Subdomain takeover on usclsapipma.cv.ford.com

Company: Ford

Bounty: $0

Link: https://hackerone.com/reports/484420

#2

Title: Subdomain takeover of v.zego.com

Company: Zego

Bounty: $0

Link: https://hackerone.com/reports/1180697

#3

Title: Subdomain takeover dew to missconfigured project settings for Custom domain .

Company: Flock

Bounty: $0

Link: https://hackerone.com/reports/428651

#4

Title: Subdomain takeover of images.crossinstall.com

Company: Twitter

Bounty: $0

Link: https://hackerone.com/reports/1406335

#5

Title: Subdomain takeover on dev-admin.periscope.tv

Company: Twitter

Bounty: $0

Link: https://hackerone.com/reports/531890

#6

Title: subdomain takeover at status0.stripo.email

Company: Stripo Inc

Bounty: $0

Link: https://hackerone.com/reports/737695

#7

Title: registry.nodejs.org Subdomain Takeover

Company: Node.js

Bounty: $0

Link: https://hackerone.com/reports/340580

#8

Title: GNIP subdomain take over

Company: Twitter

Bounty: $0

Link: https://hackerone.com/reports/189548

#9

Title: Domain Takeover in [obviousengine.com] a snapchat acquisitions

Company: Snapchat

Bounty: $0

Link: https://hackerone.com/reports/392785

#10

Title: [ii.worki.ru ] emarsys subdomain takeover

Company: Mail.ru

Bounty: $0

Link: https://hackerone.com/reports/1287686

Thanks very much! Stay tuned for another article from the “Top 25 Bug Bounty Reports” series soon.

Hacking
Cybersecurity
Information Technology
Ethical Hacking
Bug Bounty
Recommended from ReadMedium
avatarIt4chis3c
$100-$200 worth 403 Bypass Techniques

Practical, Advanced and Real-world based Techniques to Bypass 403 Forbidden

4 min read
avatarAbhirupKonwar
Extreme Recon Dorking (Part2)

Photo by Dominik Sostmann on Unsplash

2 min read
avatarIbtissam Hammadi
How I Earned $9,750 in 48 Hours by Finding a Critical Security Flaw

The step-by-step story of how I uncovered a critical vulnerability, reported it and landed a $9,750 bounty — fast

3 min read
avatarSıla Özeren
Bug Bounty in 2025: Part 3 — Investigating 4 Open Redirect Reports at HackerOne, So You Don’t Have…

In this blog, I personally investigated 4 disclosed and triaged open redirect bug bounty reports to understand what kinds of open redirect…

5 min read
avatarhackersatty
Autorize & IDOR: How a Simple Token Swap Exposed Sensitive Data

About Me

4 min read
avatarRivuDon
How to Easily Find Exposed Credentials in Bug Hunting

Earn rewards with this simple method.

4 min read