In the name of ALLAH, the most gracious, the most merciful.
Subdomain enumeration can lead to significant discoveries, and in this case, it led me to a critical subdomain takeover on Ford Motors.
Target and Tools
Target: ford.com domain.
Tools: My custom Go tools, SubFalcon for subdomain enumeration and Subov88r for takeover checks.
# SubFalcon: https://github.com/cyinnove/subfalcon
go install github.com/h0tak88r/cyinnove/cmd/subfalcon@latest
subfalcon -l domains.txt# Subov88r: https://github.com/cyinnove/subov88r
go install github.com/cyinnove/subov88r@latest
subov88r -f subfalconResults.txtThe Discovery
One subdomain appeared potentially vulnerable (<subdomain>.trafficmanager.com), but initial checks (from can i takeover x,y,z repository ) suggested otherwise. Still, I trusted my instincts and manually investigated. Success! I took over the CNAME, proving the vulnerability.
Reporting
I reported the issue as high severity, and Ford Motors later upgraded it to critical. The issue has since been resolved.
For the full story and technical details, check out my complete write-up on GitBook: Exploring Subdomains: From Enumeration to Takeover Victory.
