Notes on "Subdomain Takeover: Ignore This Vulnerability at Your Peril"

Notes on Subdomain Takeover: Ignore This Vulnerability at Your Peril

This article describes what are the implications if an attacker gets access to a subdomain, such as

How can that happen? For example, you start using a service ( is the example in the article), set up a CNAME ( then cancel the service. Now someone else can register the same account and then they have full control over the subdomain.

Another scenario is when different products are managed by different teams (, and some are protected less than others. A breach in one can affect the security of the others.

The article discusses several implications, but the most surprising for me is CSRF.

Cookies have a SameSite attribute that is supposedly prevent the browser from sending them when a request is made cross-site. The problem is that it's cross-site and not cross-origin. is the same site as so when the victim goes to and sends a request to even the SameSite: Strict cookies will be sent!

Unless the server at makes other checks, that means a subdomain takeover opens up CSRF attacks.

How to defend against this?

I'm currently looking into the Sec-Fetch-Site header the browser sends (more info here). With this, the server can protect itself from cross-origin (but same-site) requests.

July 8, 2024

Free PDF guide

Sign up to our newsletter and download the "How Cognito User Pools work" guide.