Description
can-i-take-over-xyz is a community-maintained reference list documenting which services are vulnerable to subdomain takeover and which are not. For each service, it provides the CNAME fingerprint, takeover status, and documentation. This is the definitive resource for checking if a dangling DNS record is exploitable.
Usage
TEXT
# This is a reference resource, not a tool
# Visit: https://github.com/EdOverflow/can-i-take-over-xyz
# Check the README table for:
# - Service name
# - CNAME pattern
# - Takeover status (Yes/No/Edge Case)
# - Response fingerprint
# - Documentation/writeup linkKey Services Status
TEXT
# VULNERABLE (commonly exploitable):
AWS S3 — "NoSuchBucket"
GitHub Pages — "There isn't a GitHub Pages site here"
Heroku — "No such app"
Shopify — "Sorry, this shop is currently unavailable"
Surge.sh — "project not found"
Tumblr — "Whatever you were looking for doesn't currently exist"
WordPress.com — "Do you want to register"
# NOT VULNERABLE (or patched):
AWS CloudFront — requires matching certificate
Azure — depends on service type
Cloudflare — not directly takeover-able
Fastly — requires matching configCommon Workflows
BASH
# Step 1: Enumerate subdomains
subfinder -d target.com -silent > subs.txt
# Step 2: Check for CNAME records
cat subs.txt | dnsx -cname -resp-only | sort -u
# Step 3: Cross-reference CNAMEs with can-i-take-over-xyz
# Check if the CNAME target matches a vulnerable service pattern
# Step 4: Verify with actual fingerprint check
# Visit the subdomain → match error message against reference
# Step 5: Claim the resource on the service provider