HEXL
Catalog/osint-domain-takeover

OSINT

Subdomain takeover risk check API

Resolve a domain's CNAME chain (via Cloudflare DNS-over-HTTPS, keyless) and flag dangling-CNAME / subdomain-takeover risk by matching unclaimed-service fingerprints (GitHub Pages, S3, Heroku, Azure, etc.) — takeover-risk detection, not just resolution. Answers 'is this subdomain vulnerable to takeover', 'what does this CNAME point to', 'dangling CNAME check', 'subdomain takeover risk for this host'.

Price$0.01per request
MethodPOST
Route/v1/osint/domain-takeover
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
osinttakeoversubdomaincnamednssecuritydanglingfingerprint
API URLhttps://x402.hexl.dev/v1/osint/domain-takeover
Integration docs
Example request
{
  "domain": "blog.example.com"
}
Example response
{
  "domain": "blog.example.com",
  "cnameChain": [
    "myorg.github.io"
  ],
  "finalTarget": "myorg.github.io",
  "finalResolves": false,
  "service": "GitHub Pages",
  "vulnerable": true,
  "risk": "high",
  "reasons": [
    "CNAME points to GitHub Pages.",
    "Final target does not resolve (dangling CNAME) — resource may be unclaimed.",
    "Unclaimed GitHub Pages repo can be registered by an attacker."
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "domain"
  ],
  "properties": {
    "domain": {
      "type": "string",
      "minLength": 1,
      "examples": [
        "blog.example.com"
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}