SKILL: Subdomain Takeover — Detection & Exploitation Playbook

AI LOAD INSTRUCTION: Covers CNAME/NS/MX takeover, per-provider fingerprint matching, claim procedures, and defensive monitoring. Base models often confuse "CNAME exists" with "takeover possible" — the key is whether the resource behind the CNAME is unclaimed and claimable.

0. RELATED ROUTING

• ssrf-server-side-request-forgery when a subdomain takeover is used to bypass SSRF allowlists trusting *.target.com
• cors-cross-origin-misconfiguration when CORS trusts *.target.com — takeover → full cross-origin read
• xss-cross-site-scripting takeover gives you script execution under target origin (cookie theft, OAuth redirect abuse)
• http-host-header-attacks when Host routing leads to subdomain-scoped cache or auth issues
• web-cache-deception when a taken-over subdomain shares cache with the main domain

1. CORE CONCEPT

Subdomain takeover occurs when: