Consolidates the 2026-06-12 passive-Web2 session's takeover lessons into ONE reusable methodology. Run this against any program with a broad wildcard scope. Source lessons: web2-firebase-hosting-dangling-domain-fingerprint, web2-statuspage-custom-domain-host-header-discriminator, web2-vercel-deployment-not-found-vs-claimability, web2-takeover-claimed-vs-claimable-distinction, web2-cname-empty-field-vs-dangling-distinction, web2-ct-source-failover-and-claimed-cname-fingerprint, 2026-06-11-web2-fresh-program-claimed-cname-takeover-triage.
Takeover EV is highest on LARGE, SPRAWLING, MULTI-ACQUISITION orgs (forgotten subdomains from M&A / many brands / old products), NOT small/fresh targets. Session evidence: Playtika + Spotify + Elastic (sprawling, multi-brand) each yielded a candidate; Sentry/Moov/Taiko/Doppler (small/clean) yielded none; Yahoo (sprawling BUT well-managed) yielded none. So: sprawl raises PROBABILITY, management-quality lowers it. Pick big multi-brand wildcard scopes; expect hundreds of hosts.
curl "https://api.certspotter.com/v1/issuances?domain=DOMAIN&include_subdomains=true&expand=dns_names" (rate-limits 429 without a key).https://api.hackertarget.com/hostsearch/?q=DOMAIN, rapiddns, certspotter.A dangling pointer is only a finding if an attacker can actually BIND it. Two sub-checks: (a) Provider serves the UNCLAIMED fingerprint (not the org's real content), AND (b) The provider's custom-domain VERIFICATION GATE does not block re-binding. Most modern providers have a gate (TXT record / team-verification / account-binding) that PREVENTS takeover even when the pointer dangles - which downgrades the candidate to informational. You CANNOT confirm (b) passively; it requires an authorized active claim-test. So passive output = "candidate, claimability UNCONFIRMED."
| Provider | Unclaimed fingerprint | Claimability gate (blocks takeover if present) |
|---|---|---|
| Firebase Hosting | Anycast A (151.101.x.x) + generic "Site Not Found" page | Project must add the custom domain; modern Firebase may require ownership proof |
| Atlassian Statuspage | CNAME *.stspg-customer.com; real-Host fetch 302s to statuspage.io with NO x-statuspage-version (claimed sibling HAS it) |
Free-tier custom-domain bind WITHOUT TXT verification = claimable; if TXT enforced = informational |
| Vercel | x-vercel-error: DEPLOYMENT_NOT_FOUND (+ often an expired cert) |
Apex/team domain-verification gate; if enforced = not claimable |
| GitHub Pages | "There isn't a GitHub Pages site here" | Repo must add the CNAME; org-owned verification can block |
| AWS S3-website | NoSuchBucket |
Bucket name globally re-creatable = claimable (no gate) - higher confidence |
| CloudFront | distribution-not-found (NOT an origin 4xx - distinguish) | re-pointable only if the distribution alias is free |
server: / cf-mitigated: / x-datadome:..git/.env/random-path all return 200 with the SAME body = Vercel/Netlify SPA shell, NOT a real file/deployment. Diff a random path to confirm.auth/login/gdpr/api/admin/status > generic.4 sprawl lanes -> 3 candidates (Playtika/Firebase, Spotify/Statuspage, Elastic/Vercel), all Medium + claimability-pending; 1 clean (Yahoo). 4 small-target lanes -> 0. Bottleneck after staging: operator authorization for the active claim-test (one decision covers all candidates).