- Severity
- High · CVSS 7.5
- Target
- Enterprise Automotive Company
- Date
- 2026-03
- Category
- Subdomain Takeover / Session Fixation
Subdomain Takeover with Cookie Tossing via Domain-Scoped Session
A subdomain had a dangling CNAME pointing to a deprovisioned third-party hosting service (NXDOMAIN). An attacker could claim the namespace and gain full control. The impact was amplified because another subdomain set session cookies scoped to the parent domain, enabling cookie tossing and session fixation.
Attack Chain
Step 1: Dangling CNAME discovered
DNS record pointed to a third-party hosting service that no longer existed.
Step 2: Target resolves to NXDOMAIN
The hosting platform was operational but this specific instance was deprovisioned: namespace available for claiming.
Step 3: Domain-scoped session cookie enables chaining
A sibling subdomain set a session cookie scoped to the parent domain: accessible from the taken-over subdomain.
What Scanners Would Miss
Subdomain takeover tools flag dangling CNAMEs. They don't cross-reference cookie scoping on sibling subdomains to identify the session fixation chain.
By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.