Hey guys,

So recently I got a bit bored and decided look around 000webhost to see what potential vulnerabilities I could find. So I started up SubBrute to get some sub domains when I noticed this output:

www.000webhost.com,CNAME,saitama-9705.herokussl.com.
members.000webhost.com,CNAME,saitama-9705.herokussl.com.
new.000webhost.com,CNAME,saitama-9705.herokussl.com.
affiliates.000webhost.com,CNAME,saitama-9705.herokussl.com.

So obviously out of sheer curiosity I visit saitama-9705.herokussl.com

"Heroku | No such app"

There is no app configured at that hostname."

So I decided to dig around (pun intended)

dig ns www.000webhost.com

[+] RESULTS [+]

;; ANSWER SECTION:
www.000webhost.com.    568    IN    CNAME    saitama-9705.herokussl.com.
saitama-9705.herokussl.com. 405    IN    CNAME    elb074996-249621923.us-east-1.elb.amazonaws.com.

dig ns members.000webhost.com

[+] RESULTS [+]

;; ANSWER SECTION:
members.000webhost.com.    600    IN    CNAME    saitama-9705.herokussl.com.
saitama-9705.herokussl.com. 333    IN    CNAME    elb074996-249621923.us-east-1.elb.amazonaws.com.

dig ns affiliates.000webhost.com

[+] RESULTS [+]

;; ANSWER SECTION:
affiliates.000webhost.com. 14400 IN    CNAME    saitama-9705.herokussl.com.
saitama-9705.herokussl.com. 202    IN    CNAME    elb074996-249621923.us-east-1.elb.amazonaws.com.

Um, I'm not 100% sure, but can't a misconfigured CNAME lead to DNS Hijacking which could lead to many many other possibilities...?
I registered http://saitama-9705.herokuapp.com however don't have money to buy pay for the SSL and haven't looked into it that much since I've never used Heroku before.

I'm not super familiar with DNS Hijacking, but can't a misconfigured CNAME lead to it?
What do you guys think?

Thanks,

@CrazedSec

# siph0n [2016-05-14]