Devs and security researchers out there!!
I had a doubt regarding subdomain takeover vulnerability.

How to find where a site is hosted on heroku or AWS or heroku or more?

I was trying to write a script for it.

Any expertise will be welcomed.

You could do ip lookups or another means is SSL cert checks to return the provider by parsing the certificate details.

AWS and I'm pretty sure heroku issue their own certs.

Normally your best bet at least for AWS is to query their json list of IP Address space and just see if it's in that range. You could also check to see if the original hostname was made public (new hostname would be an A record, which can be found with a whois dns query), for instance ec2's have the phrase "ec2" by default in their hostname provisioned by amazon.

You might also be able to see who the autoritative response came from. If it came from Amazon DNS servers or Heroku, chances are its theirs.

Does that help?