check_subdomain_takeover
Scan subdomains for dangling CNAMEs pointing to deprovisioned cloud services to detect subdomain takeover vulnerabilities.
Instructions
Sweep subdomains for dangling CNAMEs pointing to deprovisioned cloud services that could be claimed by an attacker (subdomain takeover vulnerabilities). Detects 16 provider families (AWS S3/CloudFront, Azure Front Door/CDN/Blob/App Service, GCP Cloud Storage, Heroku, GitHub Pages, Vercel, Firebase, Shopify, etc.). Use when asked if subdomains are pointing to deprovisioned cloud services. Pair with discover_subdomains for full inventory.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| domain | Yes | Domain to check (e.g., example.com). | |
| format | No | Output verbosity. Auto-detected if omitted. | |
| subdomains | No | Optional explicit subdomain list (full FQDNs or short labels). When provided (deduped, capped at 1000), this list is swept instead of the 15-name built-in. Source from Certificate-Transparency enumeration or brand-audit discovery. | |
| force_refresh | No | Bypass cache and run a fresh check. Useful after DNS changes. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| score | Yes | ||
| passed | Yes | ||
| category | Yes | ||
| findings | Yes |