-
-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heroku proofs #38
Comments
Official Heroku docs: https://devcenter.heroku.com/articles/custom-domains |
Can someone clarify with *.herokudns.com right now? When I add a custom domain the DNS record is fully randomized. Something like larval-beet.y987yas98yd98ya9yhd.herokudns.com |
@mshassy it is randomized now. Just confirmed it. |
@dropocol Thanks a lot for the clarification. I was soo lucky to do a takeover two days. Just found another one and BAM! they have put mitigations. Good move by Heroku anyway. |
@mshassy Correct me if I am wrong but this means that the domain takeovers aren't possible any more? |
@dropocol Technically you still can. If the domain admin decides to use *.herokuapp.com which is not randomized yet. But both *.herokudns.com and *.herokussl.com are not vulnerable. |
@mshassy What's the extent of this randomisation? These can often be defeated with a python script if the randomisation is somewhat predictable / basic (Amazon ELB's being a good example of this). |
@codingo 3 back to back instances where I tried to add the same domain. But it's strange that there is no info in their documentation about such change. Btw this is off topic but I would be glad if you could tell us more about the ELB brute forcing. Does it mean that ELB takeovers are possible? I'm not too sure about this statement. |
The change was activated on the 16th of October and recorded in the Heroku changelog: https://devcenter.heroku.com/changelog-items/1488 The devcenter documentation has not been updated yet, but should be before too long. |
If the company uses wild card ".domain.com then you cannot take it over because they "claim" all subdomains |
@codingo can you please elaborate more about Amazon's ELB's cnames are appended a somewhat predictable integer? My trials with AWS's Load Balancer API seem to indicate uniformly distributed values. |
@sagi these now look to be patched but for a period of time you could brute force them. Example PoC from when it was working below:
Happy to elaborate further if you DM me on twitter. |
@codingo Thanks! |
Do you have any idea how to takeover subdomain with the following records |
More Prove about Edge case you can find it on my blog |
CC is required to added customer domain :/ |
Herokudns is not vulnerable anymore, the mentioned edge cases are also not working. |
@rootkech can you please elaborate a little why it is not vulnerable any more? |
You don't have the option to choose custom subdomains anymore with herokudns.com |
Adding to the post^, this only works with domains and not subdomains. -Open to corrections. |
Heroku is not vulnerable any more :( https://devcenter.heroku.com/articles/error-codes#h31-misdirected-request H31 - Misdirected Request |
Heroku is not vulnerable Edge Case Only |
It looks like The scenario:
I took over For this case, I believe you need to have the root domain certificate associated with You can read more here in the Heroku documentation. |
It seems Heroku turns out Non Vulnerable for takeovers anymore |
Can anyone clear this herokudns.com is still vulnerable for subdomain takeover |
If vuln site pointing to cname eg: something-novalid.herokuapp.com and we trying to takeover appName "something-novalid" it not possible bcoz i guess It add "something-novalid-12312ewdw.herokuapp.com" as identifier according to https://devcenter.heroku.com/changelog-items/2640. which will not match something-novalid.herokuapp.com any how to perform redirect from vuln site www.example.com |
Service name
Heroku
Proof
Heroku has same virtual hosting concept as other cloud providers. Various
*.herokudns.com
subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).Step-by-step:
To verify:
(there is an iFrame with aforementioned URL present)
Documentation
There are three domains that Heroku uses:
At the moment, I can confirm only proper working on
herokudns.com
. IIRC,herokuapp.com
is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.The text was updated successfully, but these errors were encountered: