DomainOpsDomainOps
← Back to all tools

Subdomain Takeover Scanner

Discover every subdomain of a domain you own, then test each for dangling references on 13 cloud providers — one of the most common attack vectors in the wild.

We'll discover subdomains via Certificate Transparency + DNS brute-force, then test them against 13 known cloud-provider takeover patterns. Free, no signup, 5 scans per day.

What is a subdomain takeover?

A subdomain takeover happens when you have a DNS record (usually a CNAME) pointing at a third-party service — say, an old marketing page on Heroku, an S3 bucket, or a Shopify store — and the underlying resource is deleted but the DNS entry is forgotten. An attacker can then claim the unclaimed name on the same provider and serve arbitrary content from your subdomain.

The risk profile is severe: phishing pages on a lookalike of your own domain bypass most reputational filters, and any cookies scoped to the parent domain (analytics, login state) are exfiltratable via Same-Origin Policy.

How attackers find vulnerable subdomains

Subdomain enumeration uses Certificate Transparency logs (every cert ever issued for your domain is indexed publicly), DNS brute-force against common name lists, and zone-transfer attempts on misconfigured nameservers. Once enumerated, an attacker checks each subdomain's CNAME against signature lists for known cloud providers — exactly what this scanner does.

The 13 providers we test

  • AWS S3 (critical — easiest to exploit)
  • GitHub Pages (critical)
  • Heroku (critical)
  • Netlify (critical)
  • Vercel (critical)
  • Azure Blob Storage (critical)
  • Azure App Service (critical)
  • Fastly (high)
  • AWS CloudFront (high)
  • Shopify (high)
  • Zendesk (medium)
  • Cargo Collective (medium)
  • HubSpot (medium)

DomainOps' main app keeps this list current and adds new providers as they're catalogued — see can-i-take-over-xyz for the canonical reference.

FAQ

Is it legal to scan a domain I don't own?

We restrict free scans to passive techniques (CT logs + DNS lookups). No HTTP probing of subdomains happens here, so the scan is no more invasive than typing the domain into a search engine. That said: you should only scan domains you own or have explicit permission to test.

Why can't the scanner verify findings via HTTP?

The free tool is pattern-match only — we tell you which CNAMEs point at provider domains, but not whether the resource is actually unclaimed. The full DomainOps app does live HTTP verification with provider-specific signatures.

How is this rate-limited?

Five scans per IP per day. Subdomain enumeration is expensive — CT log providers throttle, DNS brute-force takes thousands of lookups — and the cap keeps the service available.

How long does a scan take?

Most scans complete in 20–40 seconds. There's a hard 90s ceiling — if exceeded, you'll see partial results. Larger domains (thousands of subdomains) commonly hit the limit on the free tier; the paid tier removes it.

What if my subdomain points at a provider you don't test?

We'll list the subdomain in "all discovered" but flag no risk. New providers are added to the registry over time — sign up to get coverage as it expands.

What's a real-world example?

Public bug-bounty disclosures on Hacktivity show subdomain takeovers paying $500–$10k+ across major vendors. Common pattern: marketing team spins up a Heroku app, the app is deleted six months later, the DNS record survives untouched.

How does DomainOps differ from this free tool?

The full app monitors continuously (so you're alerted the moment a subdomain becomes vulnerable), supports bulk scanning across all your domains, runs HTTP verification, and integrates with your alerting (Slack, email, Teams, webhook). Sign up free.

Where do you get the subdomain wordlist for brute-force?

We use a curated common-subdomain list of around 70 entries (www, mail, api, app, admin, blog, dev, staging, …). The full DomainOps app uses a much larger list and supports custom wordlists.