Service name

Heroku

Proof

Heroku has same virtual hosting concept as other cloud providers. Various *.herokudns.com subdomain respond with the same set of A records. HTTP Host matters for correct domain resolution (as in other providers). There is also an possibility to upload own certificate in order to work on custom domain as well (e.g. GitHub Pages doesn't support this and thus you cannot have HTTPS enabled with custom domain set).

Step-by-step:

1. Open new Heroku app.
2. Choose name and region (no effect on takeover).
3. Push PoC application using git to Heroku. The process is described in Deploy tab.
4. Switch to Settings tab.
5. Scroll to Domains and certificates.
6. Click Add domain.
7. Provide the domain name you want to takeover, click Save changes.
8. It might take some time for settings to propagate.

To verify:

http -b GET http://{DOMAIN NAME} | grep -F -q "//www.herokucdn.com/error-pages/no-such-app.html" && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

(there is an iFrame with aforementioned URL present)

Documentation

There are three domains that Heroku uses:

• *.herokudns.com
• *.herokuapp.com
• *.herokussl.com

At the moment, I can confirm only proper working on herokudns.com. IIRC, herokuapp.com is a domain that was used prior and is now deprecated, however old DNS records still work. I would like to hear more in comments from somebody who has experience with the remaining two.

Official Heroku docs: https://devcenter.heroku.com/articles/custom-domains

Can someone clarify with *.herokudns.com right now? When I add a custom domain the DNS record is fully randomized. Something like larval-beet.y987yas98yd98ya9yhd.herokudns.com
It used to be www.domain.com.herokudns.com like 2 days ago
@PatrikHudak @EdOverflow

@mshassy it is randomized now. Just confirmed it.

@dropocol Thanks a lot for the clarification. I was soo lucky to do a takeover two days. Just found another one and BAM! they have put mitigations. Good move by Heroku anyway.

@mshassy Correct me if I am wrong but this means that the domain takeovers aren't possible any more?

@dropocol Technically you still can. If the domain admin decides to use *.herokuapp.com which is not randomized yet. But both *.herokudns.com and *.herokussl.com are not vulnerable.

@mshassy What's the extent of this randomisation? These can often be defeated with a python script if the randomisation is somewhat predictable / basic (Amazon ELB's being a good example of this).

@codingo
oncave-bastion-olhqn7oqox74kixnwxpsyxkv.herokudns.com
introductory-chimpanzee-vpgvjaxri1ntnuoda6f03jqy.herokudns.com
fundamental-meerkat-dzdijagwzkou8z2ansfnmpsk.herokudns.com

3 back to back instances where I tried to add the same domain.
Now it's fully randomized as you can see. I'm not sure whether it's possible to brute force such.

But it's strange that there is no info in their documentation about such change.
https://devcenter.heroku.com/articles/custom-domains
https://help.heroku.com/VKRNVVF5/what-is-the-correct-dns-cname-target-for-my-custom-domains

Btw this is off topic but I would be glad if you could tell us more about the ELB brute forcing. Does it mean that ELB takeovers are possible? I'm not too sure about this statement.

The change was activated on the 16th of October and recorded in the Heroku changelog: https://devcenter.heroku.com/changelog-items/1488

The devcenter documentation has not been updated yet, but should be before too long.

If the company uses wild card ".domain.com then you cannot take it over because they "claim" all subdomains

@codingo can you please elaborate more about Amazon's ELB's cnames are appended a somewhat predictable integer? My trials with AWS's Load Balancer API seem to indicate uniformly distributed values.

@sagi these now look to be patched but for a period of time you could brute force them. Example PoC from when it was working below:

import boto3
import argparse
import time
client = boto3.client('elb', 'eu-central-1')



def takeover(elb,dns,flag):
    while (flag):
        time.sleep(2)
        response = client.create_load_balancer(
            Listeners=[
            {
                'InstancePort': 80,
                'InstanceProtocol': 'HTTP',
                'LoadBalancerPort': 80,
                'Protocol': 'HTTP',
            },
            ],
            LoadBalancerName=elb,
            SecurityGroups=[
               'sg-ead50686',
            ],
            Subnets=[
               'subnet-e7a9559c',
            ],
            )

        print(response['DNSName'])
        if response['DNSName'] == dns :
            flag=0
            print "DOMAIN TAKEN OVER"
            exit (0)
        else:
            response = client.delete_load_balancer(
                 LoadBalancerName=elb
               )


def main():
    parser = argparse.ArgumentParser(description='This script is for taking over ELB-SUBDOMAINS specifically eu-central-1')
    parser.add_argument('-elb', '--load_balancer', required=True)
    parser.add_argument('-dns', '--domain_name', required=True)
    args = parser.parse_args()
    takeover(args.load_balancer, args.domain_name,1)


if __name__ == '__main__':
    main()

Happy to elaborate further if you DM me on twitter.

@codingo Thanks!

Do you have any idea how to takeover subdomain with the following records
Status : NXDOMAIN
CNAME : something.herokussl.com ?

More Prove about Edge case you can find it on my blog
https://www.mohamedharon.com/2019/04/herokudns-still-vulnerable.html

CC is required to added customer domain :/

Herokudns is not vulnerable anymore, the mentioned edge cases are also not working.

@rootkech can you please elaborate a little why it is not vulnerable any more?
Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com

@rootkech can you please elaborate a little why it is not vulnerable any more?
Also, have you checked all the heroku domains? herokuapp.com, herokudns.com and herokussl.com

You don't have the option to choose custom subdomains anymore with herokudns.com

Adding to the post^, this only works with domains and not subdomains.

-Open to corrections.

Heroku is not vulnerable any more :(

https://devcenter.heroku.com/articles/error-codes#h31-misdirected-request

H31 - Misdirected Request
The client sent a request to the wrong endpoint. This could be because the client used stale DNS information or is accessing the app through a CDN that has stale DNS information. Verify that DNS is correctly configured for your app. If a CDN is configured for the app, consider contacting your CDN provider.

Heroku is not vulnerable

Edge Case Only

It looks like *.herokuapp.com is not vulnerable anymore.

The scenario:

dig -t CNAME x.vulnerable.com

[...]

;; ANSWER SECTION:
x.vulnerable.com. 142 IN  CNAME   x.vulnerable.herokuapp.com.

I took over x.vulnerable.herokuapp.com. However, when navigating to x.vulnerable.com, the HTTP Host header would be set to x.vulnerable.com. Heroku would then route to request to the Application Error page. However, when sending the request with the HTTP Host header set to x.vulnerable.herokuapp.com, Heroku successfully re-routed the request to my app. Both requests were sent to x.vulnerable.com.

For this case, I believe you need to have the root domain certificate associated with *.vulnerableapp.com to make Heroku successfully route the request which the attacker would not have access to.

You can read more here in the Heroku documentation.

What is the solution next?
Plz help me.

The subdomain is under herokuspace.com

https://medium.com/@neverl0gbughunt/how-i-found-subdomain-takeover-on-red-bull-57540158a18

Is it still vulnerable after this update?

It seems Heroku turns out Non Vulnerable for takeovers anymore

• Reference : https://devcenter.heroku.com/changelog-items/2640

Can anyone clear this herokudns.com is still vulnerable for subdomain takeover