Subdomain takeover via

2 min readSep 9, 2023

Frill — A Customer feedback, Roadmap and Announcements tool.

Image 1. Addable to Frill

Why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More


I have prepared a target list to find which subdomain has the cname “” as for the command, I only use the httpx tool.

root@kresec:~# cat frill | httpx -cname -sc -title -fr -silent [200] [Submit your feature ideas] [] [200] [Submit your feature ideas] [] [302,200] [] [] [] [200] [Submit your feature ideas |] [] [302,200] [Submit your feature ideas] [] [] [200] [] []

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Has no title / is empty,
— The text “Oh dear We couldn’t find that company” appears in the body
However I still find there are subdomains that can’t be taken over.

How to custom domain

I don’t want to explain too long here, the official Frill article is quite clear and complete to know how to do a custom domain. Open this article :

Image 2. Alerts that appear if the site is vulnerable

See Image 2. after you follow the frill article above, if the site is really vulnerable it will raise an allert “Added”

Successful takeover

Lastly, the subdomain will look like this after it is successfully taken over.

Image 3. succesful takeover


Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community