Still exists! Subdomain takeover via

3 min readAug 30


Yes it Still exists, although I just found a reference even though it has been around since 2018. but until now when I tried it it was still vulnerable!

Photo by Azamat E on Unsplash


I am Hasyim, Founder of (Vulnerability Management From Nuclei CLI)

Before going into further discussion, why does subdomain takeover happen?

In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More


I have prepared a target list to find which subdomain has the cname “” as for the command, I only use the httpx tool.

root@kresec:~# cat surge |httpx -silent -cname -sc -title -mc 404 [404] [project not found] [] [404] [project not found] [] [404] [project not found] []
root@kresec:~# dig | grep CNAME 0 IN CNAME
Image 2. if vuln

Vulnerable identification

With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— Body & Title : project not found
— Status code : 404
— Connected to this cname :
— And Luck 💀 Because even though the characteristics are exactly the same as above, sometimes there are things that cannot be taken over.

How to Custom domain

Well, besides you can see directly how to custom domain from the official article, you can follow my explanation below :

Make sure you have installed surge in your terminal, if not:

npm install --global surge

After success, now create a directory anywhere and also make the contents index.html free, if I like below

root@kresec:~/surge# pwd
root@kresec:~/surge# ls
root@kresec:~/surge# cat index.html
<title>Subdomain takeover by</title>
Subdomain takeover by

Then still in the same directory run the surge command, it will bring up the input email & password (if it’s the first time), you can also just fill in a dummy email.

Image 3. success published

Successful takeover

Finally, the subdomain should look like Image 4 below once it has been successfully taken over.

Image 4. takeover



Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community




Random post about web security & Ngoding