Sub Domain Takeover Tip

This tip is for users that want to learn how to actually demo to a company how someone could misuse a heroku Domain Takeover I found this again inside one of my settings of a companies Domain I just reported

Customizing your maintenance page

You can specify a custom maintenance page for your app by setting the following config var:

You will see this typically running aquatone-takeover

Potential domain takeover detected!
Host...........: test.target-site.com
Service........: Heroku
Service website: https://www.heroku.com/
Resource.......: CNAME tango_down.herokuapp.com

https://devcenter.heroku.com/articles/maintenance-mode

you can do this

heroku config:set MAINTENANCE_PAGE_URL=//s3.amazonaws.com//your_maintenance_page.html

this will allow you to turn maintenance mode on for the app you claim the domain for and serve a static page which if you are trying to demo impact to a company this is where someone could be phished if it was a question about severity this will take that report up a bit to where you may land a bounty like this

https://hackerone.com/reports/275714

give it a try I do not want to spoil things for you get a heroku go get yourselves some bounties!

I have never been paid for this and wish I had found the Starbucks one first lol
but either way its a cool trick to actual host a page via heroku domain takeover

http://wabefet.mystaticpage.com/

this is typically what I will demo to show a person its vuln you can set that through the MAINTENANCE_PAGE_URL like I showed above

I recommend only showing the page after asking although not illegal could pose a copyright issue if you squat a domain belonging to another.

Sign In to comment.