Severity
High · CVSS 7.5
Target
Enterprise Automotive Company
Date
2026-03
Category
Subdomain Takeover / Session Fixation

Subdomain Takeover with Cookie Tossing via Domain-Scoped Session

A subdomain had a dangling CNAME pointing to a deprovisioned third-party hosting service (NXDOMAIN). An attacker could claim the namespace and gain full control. The impact was amplified because another subdomain set session cookies scoped to the parent domain, enabling cookie tossing and session fixation.

Attack Chain

    Step 1: Dangling CNAME discovered

    DNS record pointed to a third-party hosting service that no longer existed.

    Step 2: Target resolves to NXDOMAIN

    The hosting platform was operational but this specific instance was deprovisioned: namespace available for claiming.

    Step 3: Domain-scoped session cookie enables chaining

    A sibling subdomain set a session cookie scoped to the parent domain: accessible from the taken-over subdomain.

What Scanners Would Miss

Subdomain takeover tools flag dangling CNAMEs. They don't cross-reference cookie scoping on sibling subdomains to identify the session fixation chain.

By the Pinaka team · Published for educational purposes. All findings were responsibly disclosed.