Gratipay: Sub Domain Takeover

ID H1:221133
Type hackerone
Reporter b3nac
Modified 2017-10-24T16:13:22


One of Gratipay's sub domains points to Heroku with no app created.


Gratipay's sub domain points to Heroku but is not in use.

Steps To Reproduce


  • Upon realization of vulnerability, installed and created a Heroku dependencies and application.

  • Added to my list of domains through Heroku CLI.

heroku domains:add

After verifying my Heroku account this was easy to point the sub domain to my application.

  • Uploaded my application with text "B3nac sub domain takeover POC." and refreshed the domain to find it pointed to my application successfully.


If the domain is not in use, then it is recommended to point the dns entry away from the third party program.

Supporting Material/References:

  • I've attached the uploaded takeover python application/website screenshot.