Website Subdomains

A subdomain is a prefix added to a main domain name to create a separate, distinct web address under the same root domain. It helps organize and segment content, services, or environments without purchasing a new domain.

Structure:
subdomain.example.com

• subdomain → the chosen prefix (e.g., blog, shop, dev)

• example.com → the main (root) domain

• .com → the top-level domain (TLD)

---

Common Uses

• Service separation: mail.example.com for email, shop.example.com for e-commerce

• Testing & development: dev.example.com, staging.example.com

• Regional targeting: us.example.com, fr.example.com

• Branding or campaigns: promo.example.com

---

Key Points

• Configured via DNS (commonly as an A or CNAME record).

• Inherit the root domain but can have independent servers, websites, and configurations.

• Search engines may treat subdomains as separate sites.

• Different from subdirectories (e.g., example.com/blog), which stay within the same main website structure.

---

Cybersecurity & Pentesting Perspective

Risks:

• Attack surface expansion: Each subdomain can be a potential entry point.

• Forgotten/abandoned subdomains: May still be online but unmaintained, containing outdated or vulnerable code.

• Subdomain takeover: If a subdomain’s DNS points to a third-party service that’s no longer claimed, attackers can register it and serve malicious content.

• Misconfigurations: Incorrect DNS, authentication, or access control on subdomains can leak sensitive information.

Pentesting Considerations:

• Subdomain enumeration: Identify all subdomains using tools like Sublist3r, Amass, assetfinder, or passive sources (search engines, certificate transparency logs).

• Check for takeovers: Especially for services like GitHub Pages, AWS S3, Heroku, or abandoned hosting.

• Service fingerprinting: Determine the technology stack and potential vulnerabilities for each subdomain.

• Access control testing: Ensure sensitive environments (dev., admin., internal.) are restricted.

• Wildcard subdomains: If enabled without proper security, they can be abused for phishing or malware hosting.

Example (for hydrattack.com):

• portal.hydrattack.com – Customer login page (must be HTTPS secured).

• api.hydrattack.com – API endpoint (should require authentication and rate limiting).

• dev.hydrattack.com – Development server (should be behind VPN or access control).