FixVibe

// dns / 聚焦

Subdomain Takeover

A CNAME pointing at an unclaimed cloud resource is an invitation to host phishing on your domain.

概要

Subdomain takeover is the rare class of bug that costs zero dollars to find and zero dollars to exploit, and gives the attacker your domain's reputation. The pattern: a marketing campaign in 2022 used `promo-summer.yourdomain.com` pointing at a Heroku app. The campaign ended; someone deleted the Heroku app. Nobody deleted the DNS CNAME. Two years later, the CNAME still resolves — Heroku just returns a 404 'no such app' page. An attacker creates a new Heroku app named `promo-summer`, claims the dangling CNAME, and now serves any content they want from `promo-summer.yourdomain.com` with a valid TLS cert (Heroku auto-provisions one). Phishing pages, malware downloads, fake login portals — all hosted on your real domain.

運作方式

Cloud services let you point a CNAME at them and serve content from a name they assign. When you delete the resource on the cloud side but leave the DNS record, the cloud responds with a recognizable error pattern (a 404 page, a 'no such app' message, an 'NoSuchBucket' XML response). The takeover candidate list includes most cloud and SaaS services that issue per-tenant subdomains: AWS S3 (`*.s3.amazonaws.com`), Heroku (`*.herokuapp.com`), Netlify (`*.netlify.app`), Vercel (`*.vercel.app`), GitHub Pages (`*.github.io`), Shopify (`*.myshopify.com`), Tumblr, Zendesk, Webflow, and dozens more. Each has a distinct error fingerprint when the underlying resource is gone — that's how scanners detect takeover candidates.

變種

Cloud-provider takeover

CNAME points at AWS S3 / Heroku / Netlify / Vercel / GitHub Pages. Attacker provisions a new resource with the same name. Most common shape; trivial to exploit.

SaaS takeover

CNAME points at a SaaS support tool (Zendesk, Helpscout, Intercom). Attacker signs up for a free account with the same subdomain claim and serves their content.

Wildcard-cert takeover

Attacker who claims one subdomain on a domain with a wildcard TLS cert can sometimes intercept other subdomains via certificate-authority issuance abuse.

Lame-delegation takeover

DNS NS records delegate to a nameserver that no longer hosts the zone. Attacker registers the abandoned hosting account and answers queries.

影響范圍

Phishing pages on `yourdomain.com` — bypassing every browser warning, every URL-trust heuristic, every customer expectation that 'links from yourdomain.com are safe.' Eats your domain's deliverability reputation when phishing campaigns get reported. Cookie-scope abuse when the parent domain shares cookies (Domain=`.yourdomain.com`) with the takeover-candidate subdomain — attacker can read those cookies. Stored-XSS-style impact when attacker JavaScript on the subdomain has cookie access for the parent. Brand damage and customer trust loss compound the technical impact.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks DNS and takeover risk with non-destructive ownership, resolution, and service-state signals. Reports show the risky host or record and the cleanup path. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Delete DNS records when you decommission cloud resources. Make 'remove DNS' part of every decommission runbook. Audit subdomain DNS regularly — `dig` your full zone, list every CNAME, verify each target resolves to a resource you control. Tools like `subjack`, `subzy`, and `nuclei` automate the check; bake one into your security CI on a weekly cadence. For wildcard-cert risk, prefer per-subdomain certs over wildcards where possible (Let's Encrypt makes this cheap). Monitor certificate transparency logs for new certs issued for your domain — services like Cert Spotter or crt.sh's monitoring API alert on unexpected issuance. As a structural defense, prefer using your apex domain or a small set of canonical subdomains rather than spinning up per-campaign or per-environment subdomains; fewer DNS records means fewer abandoned ones to take over.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

DNS
20
本類别中触發的测試
模塊
3
專属 dns 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Subdomain Takeover — 漏洞聚焦 | FixVibe · FixVibe