Subzy – Subdomain takeover Vulnerability Checker Tool

Subzy is the tool that identifies or checks the subdomain takeover on the target domain or multiple subdomains. Subzy is the Golang language based-tool. Subdomain takeover tool, which works based on matching response fingerprints from can-i-take-over-xyz. This automated scanner can help you in bug bounty programs to find Subdomain Takeover bugs in the target website. The usage of the Subzy tool is convenient and straightforward. The results returned are also relevant. You get the live status of each subdomain, whether it is vulnerable or not. If it’s susceptible, then you will get the status of vulnerable. Various flags can enhance the output of results in the terminal window.

Note: As Subzy is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to download Golang in your system. – How to Install Go Programming Language in Linux

What is Subdomain?

Web Application consists of various functionalities. The website cannot embed each function in a single page, so the administrator or website owner creates a subdomain for the main domain and splits the functionality into these subdomains. A single subdomain can have multiple subdomains.

For Example, geeksforgeeks.org is the main domain that has multiple subdomains like :

1. write.geeksforgeeks.org
2. practice.geeksforgeeks.org
3. internships.geeksforgeeks.org

What is Subdomain Takeover?

The rights and permission to manage the subdomains are in the website owner’s hands, but what if we manage the subdomains without rights. Yes, we can do that, which is known as Subdomain Takeover. Subdomain Takeover is the vulnerability of gain control over a specific subdomain by an unidentified or unauthorized person. The hackers successfully take the subdomain in his control and do whatever he wants, like creating a new database, creating a phishing website or cloning the domain, etc. 

Installation of Subzy Tool in Kali Linux Machine

Step 1: If you have downloaded Golang in your system, verify the installation by checking the version of Golang, use the following command.

go version

Step 2: Get the Subzy repository or clone the Subzy tool from Github, use the following command.

sudo go get -u -v github.com/lukasikic/subzy

Step 3: Install the Subzy Tool, use the following tool.

sudo go install -v github.com/lukasikic/subzy

Step 4: Now Tool is installed successfully, check the help page of the tool to get a better understanding of tool usage.

subzy -h

Working with Subzy Tool

Example 1: single Target Subdomain

subzy -target practice.geeksforgeeks.org/

In the below Screenshot, only a single subdomain is passed to check whether it is vulnerable to Subdomain Takeover or not. The -target flag or tag is passed along with the target subdomain which specifies the single target usage.

Example 2: Multiple Target Subdomains

1. The below screenshot shows the targets_urls.txt file which contains multiple subdomains which will be tested at the same instance.

2. In the below screenshot, the entire targets_urls.txt file is passed with the -targets flag which is used to check the multiple subdomains for subdomain takeover at the same instance.

subzy -targets target_urls.txt

Example 3: Show only Potentially Vulnerable Subdomains

In the above images, you must have seen the message NOT VULNERABLE, HTTP ERROR so to avoid this and get only vulnerable subdomains to result, -hide_fails tag is used, it results only the vulnerable URLs rather than showing everything.

Example 4: HTTPS by Default

-https flag forces HTTPS protocol if  no protocol is defined for the target (default false)

Example 5: Check Target only if SSL is Valid

In this example, SSL is valid so subzy tool won’t check sites with insure SSL and return HTTP Error in the message. -verify_ssl tag is used.

Example 6: Concurrent Requests

If the concurrent value is set other than default then subzy tool checks more than the default value (10) subdomains at a time, in the below screenshot the value is 20 so 20 subdomains are checked concurrently. -concurrency tag is used.

Example 7: HTTP Request Timeout 

In this example, the timeout value is set to 20 so the subzy tool will wait 20 sec to check the response from the domain server. If the server doesn’t respond within 20 seconds then the next subdomain is checked. -timeout tag is used.

Subzy is the fastest tool to check multiple subdomains list in a single command. You can use this methodology in Bug Bounty Programs and find the Subdomain Takeover Vulnerability in the Target Subdomains.