Skip to main content

Preventing Subdomain Takeover

Be alerted to potential subdomain takeover risks through the YesWeHack platform

Updated this week

What is a subdomain takeover?

A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain, typically when the subdomain has a canonical name (CNAME) or an IP address (A) pointing to a cloud provider in the Domain Name System (DNS), but no host is providing content for it.

Hosts are typically resources rented at cloud providers like AWS, Azure, GCP, etc.

This attack vector persists because:

  • DNS records are often forgotten when services are removed.

  • DNS changes and cloud resource changes are handled by different teams.

  • Some cloud providers don’t validate ownership when a service endpoint is configured.

How to prevent Subdomain Takeover?

YesWeHack has included specific checkpoints in its Security Check solution to prevent subdomain takeover. Start by activating "Continuous Security Check Scans" to enable this feature.

ℹ️ Learn more about how to configure checkpoints & assets here.

  • Go to the "Admin Panel"

  • Click on "Attack Surface" in the left-side menu

  • Go to "Security Check"

  • Activate “Continuous security check Scans”

In the "Assets" tab, you can select on which asset(s) you want the security checks to run. You can select them individually, in bulk, or even all of them.

The tab "Checkpoints" of the same page enables you to select which checkpoint(s) to activate. Subdomain Takeover checkpoints are displayed in this list and like other checkpoints activated by default.

ℹ️ YesWeHack’s Vulnerability Intelligence team maintains state-of-the-art knowledge of providers vulnerable to subdomain takeovers and creates or adapts checkpoints accordingly.

At the time of writing, YesWeHack’s checkpoints cover the following cloud providers:

  • Aws bucket

  • Azure

  • ElasticBeanstalk

  • Github App

  • ReadTheDocs

  • Shopify

  • Short.io

  • Wix

  • Wordpress

  • GCP

Where can I view the results?

ℹ️ Detected Issues are the results of Security Check on the platform. When a vulnerability is identified (including Subdomain Takeover), a "Detected Issue" report will be triggered.

  • Open the "Attack Surface" page through the top banner

  • In the "Primary Assets" tab, open a primary asset to display the details. A red bug icon will show the detected issues in the "Risks" column:

  • Click on a “Host”

  • The "Detected Issues" tab centralizes every detected issues identified for this host (including Subdomain Takeover)

A “Subdomain Takeover” detected issue must be validated before it can be converted into a Vulnerability Report. To validate it and create the report:

  • Go to a given “Subdomain Takeover” detected issue

  • Click on "Confirm"

  • A new report is now created in your Vulnerability Center and can be managed like any other vulnerability report.

ℹ️ Learn more about the Vulnerability Center here.

Related Articles
Launch Security Check
Changelog 2025-09
Changelog 2026-01
Continuous pentesting: Overview of the main features
Changelog 2026-02
Did this answer your question?