Heroku subdomain takeovers are possible for herokuapp.com CNAMEs, and can be identified by the ‘No such app’ page:
And a CNAME in dig that points to .herokuapp.com:
;; ANSWER SECTION: subexample.example.com. 3600 IN CNAME subexample.herokuapp.com.
This is an indication that the company has a dangling CNAME record pointing to an unclaimed Heroku app which we might be able to take over.
To manually create the Heroku app go to your Heroku dashboard and click ‘Create new app’. For the name you want to use the CNAME found in dig without the .herokuapp.com part, like this (going with the above example):
If it says ‘subexample is available’ like above, great, you can take it over! However if it’s already registered by someone else, it’ll say ‘subexample is not available’ and there’s not much you can do.
If you were able to claim the app name, create the app and go to Settings and scroll down to Domains. Here we want to put in the subdomain we are taking over by clicking ‘Add domain’ and pasting the company’s whole subdomain name from above:
Now all you need to do is upload your takeover Proof of Concept to your new Heroku app. The easiest way to do this is via the Heroku client which you can run in the Linux terminal. Create your PoC in a new folder and then run these commands:
cd pathtoyourpoc/ heroku login git init git add . git commit -m 'Takeover PoC' heroku git:remote -a subexample git push heroku master
All of the above procedure is very easy to automate by using the Heroku API (documentation).