surge.sh is not vulnerable

[mzfr]

I am bit confused about how takeovers works

so If a website named sub.target.com is pointing toward thisisrandom.surge.sh then the way to takeover would be to register the thisisrandom.surge.sh domain, right?

If that is how it should be then it's not possible to takeover surge.sh subdomains. I don't think it's possible because when you go on to register a new project with a new subdomain it checks if that subdomain is registered by someone else or not. And if it then it give error

   Running as EMAIL-ID-HERE

        project: /my/project/path
         domain: thisisrandom.surge.sh

   Aborted - you do not have permission to publish to thisisrandom.surge.sh

Please let me know if I'm wrong and someone finds a way to take these over :)

[sec000]

Hey!! I just got the same scenario and this is still a takeover, you have to add a CNAME file in the same directory.
Resources:- https://surge.sh/help/adding-a-custom-domain

[mzfr]

@yashanand Can you please explain step by step? Like what all you did to takeover the subdomain.

[sec000]

Hey I follow the same steps which are given on the official website, if you have any doubt ping me on Twitter @yashanand155

[ceylanb]

Vulnerable if you see the following 404 page.