Heroku Subdomain Takeover

Hello everyone, in this blog post, I would like to discuss the Subdomain Takeover vulnerability I discovered.

What is Subdomain Takeover?
A Subdomain Takeover is a web security vulnerability that occurs when a subdomain of a website points to a third-party service (e.g., AWS, GitHub Pages, Heroku) but the resource it points to has been deleted or is no longer in use. An attacker can claim the dangling resource and take control of the subdomain, potentially impersonating the legitimate domain.

This attack is dangerous because it allows attackers to exploit trust in the main domain, host malicious content, or even launch phishing attacks.

I was hunting in a VDP program on Hackerone, and since it was a wildscope program, I collected all the subdomains I could find and saved them as hosts.txt.

Then I started testing subdomain takeover using nuclei with the following command:

nuclei -l hosts.txt -t subdomain-takeover_detect-all-takeovers.yaml

(You can access the .yaml file from this article:
https://xsametyigit.medium.com/nuclei-subdomain-takeover-250a91ebf55c)

The nuclei output then indicated the possibility of a takeover for the heroku provider in a subdomain.

I visited the link and a page like the one below opened.

Then I took a look at the domain with the nslookup target.com command, and then I went to heroku and created a new application and in the add domain section (settings →add domain)

I added target.com and *.target.com domains

I opened my terminal screen and downloaded and installed Heroku CLI and then
I typed the command “heroku login” and a page popped up and after I logged in, the terminal said I had successfully logged in

(Here you can also connect to github and deploy your repo, but I tried this and got a few errors so I wanted to try a different way.)

I browsed my apps with the "heroku apps" command and my target app was available. If not ( You can create it with :heroku create <app-name> )

Creating Required Files

Create a folder called views and add index.ejs to it:

mkdir views
touch views /index.ejs

Then paste the following content into the index.ejs file

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Subdomain</title>
    <!-- CSS -->
    <link href="//maxcdn.bootstrapcdn.com/bootswatch/3.2.0/superhero/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="/css/style.css">
</head>
<body>
    <div class="container">
        <div class="jumbotron">
            <h1>Subdomain Takeover by elcezeri</h1>
        </div>
    </div>
</body>
</html>

Creating a CSS File

Create a folder calledpublic/css and add a style.css file in it:

mkdir -p public/css
touch public/css/style.css

(You can leave the CSS file empty or add basic styles.)

Creating apackage.json File

npm init -y

Installing Express

npm install express ejs

Creating a Server File

Create a server.js file in the project directory:

touch server.js

Add the following code intoserver.js file:

const express = require('express');
const path = require('path');

const app = express();
const port = process.env.PORT || 3000;

// Path setting for static files
app.use(express.static(path.join(__dirname, 'public')));

// Tuning the EJS engine
app.set('view engine', 'ejs');

// Home route
app.get('/', (req, res) => {
    res.render('index');
});

app.listen(port, () => {
    console.log(`Application running at http://localhost:${port}.`);
});

Create Procfile

Create a Procfile to tell Heroku how to launch your application:

echo "web: node server.js" > Procfile

Track Your App with Git

git init
git add .
git commit -m "First commit Subdomain Takeover"

Add the Heroku remote repository (this step is done automatically, but check to make sure):

heroku git:remote -a <app-name>

Submit App to Heroku

git push heroku master

And finally Open the App in Browser

Good reading for everyone, stay healthy.