Skip to content

Latest commit

 

History

History
135 lines (100 loc) · 3.36 KB

README.md

File metadata and controls

135 lines (100 loc) · 3.36 KB

Subdomain Takeover Detection Nuclei Template

Nuclei Coverage

Advanced detection of vulnerable subdomain takeovers across major cloud providers and SaaS platforms.

📖 Overview

This Nuclei template identifies potential subdomain takeover vulnerabilities by analyzing:

  • Service-specific error patterns
  • HTTP headers
  • Response characteristics
  • CNAME clues

Combines techniques from can-i-take-over-xyz with multi-layer verification for high accuracy.

✨ Key Features

  • 50+ Service Patterns
    AWS, GitHub, Heroku, Firebase, Shopify, Azure, Cloudflare + niche platforms
  • False Positive Reduction
    • Generic error page exclusion
    • Response time/size validation
    • Header verification
  • Smart Fingerprinting
    • Service identification
    • CNAME pattern extraction
  • Multi-Phase Detection
    4-stage verification process

🚀 Usage

Basic Scan

nuclei -t subdomain-takeover-pro-plus.yaml -u target.com

Recommended Flags

nuclei -t subdomain-takeover-pro-plus.yaml \
  -list domains.txt \
  -retries 2 \
  -timeout 5 \
  -rate-limit 150 \
  -headless

📦 Installation

  1. Install Nuclei:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
  1. Clone template repository:
git clone https://github.com/yourusername/subdomain-takeover-templates.git
  1. Update regularly:
nuclei -update && nuclei -ut

🔍 Validation Workflow

  1. Verify CNAME Records
dig CNAME vulnerable-subdomain.example.com

  1. Check Service Status
    Use provider dashboards/APIs to confirm resource availability

  2. Cross-Reference
    Consult can-i-take-over-xyz for current vulnerabilities

❗ Ethical Note: Always obtain proper authorization before testing.

🤝 Contributing

Help improve detection:

  1. Report false positives/negatives via Issues
  2. Submit new service patterns via PR
  3. Update existing matchers for service changes
# Template structure
subdomain-takeover-pro-plus.yaml
├── Service patterns
├── Header checks
└── Response validation

❓ FAQ

Q: How to handle false positives?
A: Use the -debug flag and check extracted service/CNAME clues

Q: Which services are covered?
A: AWS, GitHub, Heroku, Firebase, Shopify, Azure + 45+ others (see full list in template)

Q: Support authenticated scans?
A: Add custom headers with -H 'Authorization: Bearer token'

Q: Need manual verification?
A: Always required before reporting vulnerabilities

📚 References

📜 License

MIT License - See LICENSE. Use responsibly.


This README provides:
1. Clear installation/usage instructions
2. Technical implementation details
3. Ethical guidelines
4. Maintenance/contribution info
5. Quick reference sections

Key elements:
- Badges for visual metadata
- Collapsible sections for complex workflows
- Ethical usage emphasis
- Version compatibility notes
- Direct links to resources

Would you like me to add any specific details or modify any sections?