loading
loading
Vulnerabilities
Subdomain takeover tool driven by response fingerprints from can-i-take-over-xyz.
overview
subzy reads a list of subdomains and tests each one for a takeover condition. It requests the host, reads the response, and matches it against the fingerprint set maintained in the can-i-take-over-xyz project. When a subdomain points at a deprovisioned cloud service that still answers with a claimable error page, subzy flags it as vulnerable so you can register the dangling resource before an attacker does.
The check is response-driven, so it stays fast and avoids the false positives that come from CNAME inspection alone. You can scan a single host, a comma-separated set, or a file of thousands of subdomains, and tune concurrency, request timeout, and HTTPS handling to match the scope. Hiding failed results keeps the output focused on the hosts worth acting on.
On Trickest, subzy is a Vulnerabilities-category node that takes a subdomain list and writes a file and a folder of results. Place it after subdomain enumeration: discovery produces the candidate names, subzy confirms which ones resolve to claimable services, and the findings land as a queryable output you can triage or alert on.
source github.com/LukaSikic/subzy
use cases
Feed a full subdomain list into subzy so every host is tested against the live fingerprint set, surfacing only the names that point at claimable, dangling services.
Catch subdomains that still CNAME to a deleted S3 bucket, GitHub Pages site, or Heroku app, the exact conditions an attacker uses to hijack a domain.
Set -hide_fails to drop non-vulnerable hosts and raise -concurrency so a wide scope finishes quickly with output that only lists actionable findings.
Wire discovery plus subzy into a scheduled Trickest workflow so newly created subdomains are tested for takeover as they appear, without a manual pass.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -target | Single or multiple subdomains separated by comma. |
| targets | FILE | -targets | File of subdomains to scan, the usual pipeline input. |
| concurrency | STRING | -concurrency | Number of concurrent checks (default 10). |
| timeout | STRING | -timeout | Request timeout in seconds (default 10). |
| hide-fails | BOOLEAN | -hide_fails | Do not display non-vulnerable results. |
| force-https | BOOLEAN | -https | Force HTTPS when the target has no protocol defined. |
| dont-verify-ssl | BOOLEAN | -verify_ssl | Skip sites with insecure SSL instead of returning an HTTP error. |
Showing key inputs. subzy exposes 7 inputs in total.
example
# scan a subdomain list, hide non-vulnerable hosts, raise concurrencysubzy -targets subdomains.txt -hide_fails -concurrency 50 -timeout 15[ VULNERABLE - GitHub Pages ] https://assets.example.com[ VULNERABLE - Amazon S3 ] https://cdn.example.com[ NOT VULNERABLE ] https://api.example.com[ NOT VULNERABLE ] https://app.example.com[ NOT VULNERABLE ] https://staging.example.com[ HTTP ERROR ] https://legacy.example.comResults vulnerable: 2 not vulnerable: 3 errors: 1guidance
Reach for subzy when you have a subdomain list and want to know which hosts are takeover candidates. It checks against the can-i-take-over-xyz fingerprints, so it complements a generic DNS tool by confirming the response actually looks claimable. Pair it with subfinder upstream for the names and tko-subs as a second opinion.
Also detects and can take over dead DNS records. Uses a CMS providers CSV rather than the can-i-take-over-xyz fingerprint set.
Finds the subdomains in the first place. Run it before subzy, not instead of it.
Has takeover templates among thousands of other checks. subzy is purpose-built and faster for this one job.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A domain feeds subfinder, which enumerates subdomains and passes them to subzy, which flags the takeover candidates as a queryable output.
Facts on this page come from the live Trickest tool library.