search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.57k stars 688 forks source link

surge.sh is not vulnerable #198

Open mzfr opened 3 years ago

mzfr commented 3 years ago

I am bit confused about how takeovers works

so If a website named sub.target.com is pointing toward thisisrandom.surge.sh then the way to takeover would be to register the thisisrandom.surge.sh domain, right?

If that is how it should be then it's not possible to takeover surge.sh subdomains. I don't think it's possible because when you go on to register a new project with a new subdomain it checks if that subdomain is registered by someone else or not. And if it then it give error

   Running as EMAIL-ID-HERE

        project: /my/project/path
         domain: thisisrandom.surge.sh

   Aborted - you do not have permission to publish to thisisrandom.surge.sh

takeover

Please let me know if I'm wrong and someone finds a way to take these over :)

sec000 commented 3 years ago

Hey!! I just got the same scenario and this is still a takeover, you have to add a CNAME file in the same directory. Resources:- https://surge.sh/help/adding-a-custom-domain

mzfr commented 3 years ago

@yashanand Can you please explain step by step? Like what all you did to takeover the subdomain.

sec000 commented 3 years ago

Hey I follow the same steps which are given on the official website, if you have any doubt ping me on Twitter @yashanand155