Update 10-Test_for_Subdomain_Takeover.md

document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.md

@@ -11,29 +11,29 @@ A successful exploitation of this kind of vulnerability allows an adversary to c
 1. The victim's external DNS server subdomain record is configured to point to a non-existing or non-active resource/external service/endpoint. The proliferation of XaaS (Anything as a Service) products and public cloud services offer a lot of potential targets to consider.
 2. The service provider hosting the resource/external service/endpoint does not handle subdomain ownership verification properly.
 
-If the subdomain takeover is successful, a wide variety of attacks are possible (serving malicious content, phishing, stealing user session cookies, credentials, etc.). This vulnerability could be exploited for a wide variety of DNS resource records including: `A`, `CNAME`, `MX`, `NS`, `TXT` etc. In terms of the attack severity an `NS` subdomain takeover (although less likely) has the highest impact because a successful attack could result in full control over the whole DNS zone and the victim's domain.
+If the subdomain takeover is successful, a wide variety of attacks are possible (serving malicious content, phishing, stealing user session cookies, credentials, etc.). This vulnerability could be exploited for a wide variety of DNS resource records including: `A`, `CNAME`, `MX`, `NS`, `TXT` etc. In terms of the attack severity, an `NS` subdomain takeover (although less likely) has the highest impact, because a successful attack could result in full control over the whole DNS zone and the victim's domain.
 
 ### GitHub
 
 1. The victim (victim.com) uses GitHub for development and configured a DNS record (`coderepo.victim.com`) to access it.
 2. The victim decides to migrate their code repository from GitHub to a commercial platform and does not remove `coderepo.victim.com` from their DNS server.
-3. An adversary finds out that `coderepo.victim.com` is hosted on GitHub and uses GitHub Pages to claim `coderepo.victim.com` using their GitHub account.
+3. An adversary discovers that `coderepo.victim.com` is hosted on GitHub and claims it using GitHub Pages and their own GitHub account.
 
 ### Expired Domain
 
 1. The victim (victim.com) owns another domain (victimotherdomain.com) and uses a CNAME record (www) to reference the other domain (`www.victim.com` --> `victimotherdomain.com`)
-2. At some point, victimotherdomain.com expires and is available for registration by anyone. Since the CNAME record is not deleted from the victim.com DNS zone, anyone who registers `victimotherdomain.com` has full control over `www.victim.com` until the DNS record is present.
+2. At some point, victimotherdomain.com expires, becoming available for registration by anyone. Since the CNAME record is not deleted from the victim.com DNS zone, anyone who registers `victimotherdomain.com` has full control over `www.victim.com` until the DNS record is removed or updated.
 
 ## Test Objectives
 
 - Enumerate all possible domains (previous and current).
-- Identify forgotten or misconfigured domains.
+- Identify any forgotten or misconfigured domains.
 
 ## How to Test
 
 ### Black-Box Testing
 
-The first step is to enumerate the victim DNS servers and resource records. There are multiple ways to accomplish this task, for example DNS enumeration using a list of common subdomains dictionary, DNS brute force or using web search engines and other OSINT data sources.
+The first step is to enumerate the victim DNS servers and resource records. There are multiple ways to accomplish this task; for example, DNS enumeration using a list of common subdomains dictionary, DNS brute force or using web search engines and other OSINT data sources.
 
 Using the dig command the tester looks for the following DNS server response messages that warrant further investigation:
 
@@ -96,17 +96,17 @@ ns1.victim.com
 nameserver.expireddomain.com
 ```
 
-In this fictious example the tester checks if the domain `expireddomain.com` is active with a domain registrar search. If the domain is available for purchase the subdomain is vulnerable.
+In this fictitious example, the tester checks if the domain `expireddomain.com` is active with a domain registrar search. If the domain is available for purchase the subdomain is vulnerable.
 
 The following DNS responses warrant further investigation: `SERVFAIL` or `REFUSED`.
 
 ### Gray-Box Testing
 
-The tester has the DNS zone file available which means DNS enumeration is not necessary. The testing methodology is the same.
+The tester has the DNS zone file available, which means DNS enumeration is not necessary. The testing methodology is the same.
 
 ## Remediation
 
-To mitigate the risk of subdomain takeover the vulnerable DNS resource record(s) should be removed from the DNS zone. Continuous monitoring and periodic checks are recommended as best practice.
+To mitigate the risk of subdomain takeover, the vulnerable DNS resource record(s) should be removed from the DNS zone. Continuous monitoring and periodic checks are recommended as best practice.
 
 ## Tools