Advanced detection of vulnerable subdomain takeovers across major cloud providers and SaaS platforms.
This Nuclei template identifies potential subdomain takeover vulnerabilities by analyzing:
- Service-specific error patterns
- HTTP headers
- Response characteristics
- CNAME clues
Combines techniques from can-i-take-over-xyz with multi-layer verification for high accuracy.
- 50+ Service Patterns
AWS, GitHub, Heroku, Firebase, Shopify, Azure, Cloudflare + niche platforms - False Positive Reduction
- Generic error page exclusion
- Response time/size validation
- Header verification
- Smart Fingerprinting
- Service identification
- CNAME pattern extraction
- Multi-Phase Detection
4-stage verification process
nuclei -t subdomain-takeover-pro-plus.yaml -u target.comnuclei -t subdomain-takeover-pro-plus.yaml \
-list domains.txt \
-retries 2 \
-timeout 5 \
-rate-limit 150 \
-headless- Install Nuclei:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest- Clone template repository:
git clone https://github.com/yourusername/subdomain-takeover-templates.git- Update regularly:
nuclei -update && nuclei -ut- Verify CNAME Records
dig CNAME vulnerable-subdomain.example.com-
Check Service Status
Use provider dashboards/APIs to confirm resource availability -
Cross-Reference
Consult can-i-take-over-xyz for current vulnerabilities
❗ Ethical Note: Always obtain proper authorization before testing.
Help improve detection:
- Report false positives/negatives via Issues
- Submit new service patterns via PR
- Update existing matchers for service changes
# Template structure
subdomain-takeover-pro-plus.yaml
├── Service patterns
├── Header checks
└── Response validationQ: How to handle false positives?
A: Use the -debug flag and check extracted service/CNAME clues
Q: Which services are covered?
A: AWS, GitHub, Heroku, Firebase, Shopify, Azure + 45+ others (see full list in template)
Q: Support authenticated scans?
A: Add custom headers with -H 'Authorization: Bearer token'
Q: Need manual verification?
A: Always required before reporting vulnerabilities
MIT License - See LICENSE. Use responsibly.
This README provides:
1. Clear installation/usage instructions
2. Technical implementation details
3. Ethical guidelines
4. Maintenance/contribution info
5. Quick reference sections
Key elements:
- Badges for visual metadata
- Collapsible sections for complex workflows
- Ethical usage emphasis
- Version compatibility notes
- Direct links to resources
Would you like me to add any specific details or modify any sections?