[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 10 Jun 2015 13:59:34 +0200
Document Title:
===============
Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1323
Video: http://www.vulnerability-lab.com/get_content.php?id=1336
Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-bounty-2015-api-re-auth-session-token-bypass-vulnerability
Release Date:
=============
2015-06-09
Vulnerability Laboratory ID (VL-ID):
====================================
1323
Common Vulnerability Scoring System:
====================================
6.1
Product & Service Introduction:
===============================
Heroku provides you with all the tools you need to iterate quickly, and adopt
the right technologies for your project.
Build modern, maintainable apps and instantly extend them with functionality
from hundreds of cloud services providers
without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them
together in an experience built and
designed for developers. Scale your application by moving a slider and upgrade
your database in a few simple steps.
Whether your growth happens over the year or overnight, you can grow on demand
to capture opportunity.
Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of
building and deploying web apps. Our service
lets app developers spend their time on their application code, not managing
servers, deployment, ongoing operations, or scaling.
Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins.
(Copy of the Vendor Homepage: https://www.heroku.com/home )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a application-side
session validation vulnerability in the official Heroku API and web-application.
Vulnerability Disclosure Timeline:
==================================
2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program)
2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty
Program)
2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team)
2015-06-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Heroku
Product: Heroku Dashboard - Web Application (API) 2014 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An application-side re-auth session bypass vulnerability has been discovered in
the official heroku API & web-application service.
The vulnerability allows an attacker to request unauthorized information
without the second forced re authentication module.
The heroku web-service provides to all web services an expire session function
that disallows to visit the page without re authentication.
The dataclips page session of the editor and the postgres service allows to add
for example new context. If the session expires in the main
heroku web-service the user will be forced to login again.
During the tests we releaved that the session of the dataclip service and
editor is available even if the re-authentication service is still running.
If the local attacker changes the path manually to request directly the stored
context in the profile (like shown in video) he is able to bypass the
security mechanism to add or request the database name.
The session validation mechnism needs to provoke a refresh of the progres
datasheet page or the dataclips add through editor to prevent unauthorized
access after a session has been expired during the usage of the heroku service.
The security risk of the re-auth session bypass vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the vulnerability requires a local low privilege heroku
application user account without user interaction. Successful exploitation
of the vulnerability results in the evade and bypass of the re-authentication
mechanism.
Proof of Concept (PoC):
=======================
The local re auth bypass vulnerability can be exploited by local attackers with
low privilege web-application user account or
by remote attackers without privlege web-application account and high user
interaction. For security demonstration or to reproduce
the security vulnerability follow the provided information and steps below to
continue.
Manual steps to reproduce the re-auth bypass vulnerability ...
1. Register a webpage account at the official heroku website
2. Provoke the re-auth function that pops up after several profile interaction
during the time after the session expired
3. When the session is expired to do not press the re-auth function button that
popup stable to all service
4. Switch back to the postgres.heroku service and add dataclips or own
databases even if the session is expired to all other modules and sites
Note: Even if all session are expired the user is able to request the database
and the dataclips in the service without authorization
5. Successful reproduce of the session vulnerability!
Video Demonstration
The video demonstrates the vulnerability in the re-auth function of the heroku
service which affects only the heroku service with the dataclips and databases.
The session expired values also needs to be recognized in the database service
and the site validation request to prevent access without re-auth to heroku
itself.
Exception Message:
-Your session has expired
--Your current session has expired or become inactive and has been terminated.
---Please log in again to continue using Dashboard.
--- PoC Session Logs ---
17:55:32.218[718ms][total 718ms] Status: 303[See Other]
GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.heroku.com/home]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLLCf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJf4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsVb32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCocJGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2ji5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMHi68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIlDpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJdprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9VmkTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRuJz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C90aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070;
_ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1;
heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc;
__utmb=148535982.59.9.1411228524365;
optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:55:42 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0;
expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01
Jan 1970 00:00:00 -0000; secure
rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed;
path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
Location[https://id.heroku.com/login]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10]
Transfer-Encoding[chunked]
Via[1.1 vegur]
17:55:32.937[159ms][total 818ms] Status: 200[OK]
GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.heroku.com/home]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed;
_ga=GA1.3.181049422.1411214008; visitor_id36622=273629684;
__utmb=148535982.59.9.1411228524365;
optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:55:42 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0;
expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01
Jan 1970 00:00:00 -0000; secure
rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5IxbkOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCnvRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJroQXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLqdiNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b066d2dce3e441b8d09b2;
path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3]
Transfer-Encoding[chunked]
Via[1.1 vegur]
17:56:11.833[437ms][total 437ms] Status: 302[Found]
GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[postgres.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
_session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df04da320c8f856f41afe6b154b068da3;
user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819;
postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc;
__utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Connection[close]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
status[302 Found]
Strict-Transport-Security[max-age=99; includeSubdomains]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1]
Location[https://postgres.heroku.com/login]
Content-Type[text/html; charset=utf-8]
x-ua-compatible[IE=Edge,chrome=1]
Cache-Control[no-cache, private]
Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0;
path=/; secure; HttpOnly]
x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d]
x-runtime[0.008472]
x-rack-cache[miss]
Via[1.1 vegur]
17:56:12.273[183ms][total 183ms] Status: 302[Found]
GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI
LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime
Type[text/html]
Request Header:
Host[postgres.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0;
user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819;
postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc;
__utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Connection[close]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
status[302 Found]
Strict-Transport-Security[max-age=99; includeSubdomains]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1]
Location[https://postgres.heroku.com/auth/heroku]
Content-Type[text/html; charset=utf-8]
x-ua-compatible[IE=Edge,chrome=1]
Cache-Control[no-cache, private]
Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970
00:00:00 GMT; secure
super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT;
secure
postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure]
x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3]
x-runtime[0.005907]
x-rack-cache[miss]
Via[1.1 vegur]
17:56:13.046[161ms][total 897ms] Status: 200[OK]
GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[id.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/clips/new]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbXj9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsDCHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkXY49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxRcfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtcWrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3Vxz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzniCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d513d5;
_ga=GA1.3.181049422.1411214008; visitor_id36622=273629684;
__utmb=148535982.62.9.1411228524365]
Connection[keep-alive]
Response Header:
Server[Cowboy]
Date[Sat, 20 Sep 2014 15:56:22 GMT]
Connection[keep-alive]
Strict-Transport-Security[max-age=31536000]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Content-Type[text/html;charset=utf-8]
Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0;
expires=Thu, 01 Jan 1970 00:00:00 -0000; secure
heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01
Jan 1970 00:00:00 -0000; secure
rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLaKgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmipSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXHanhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAjCO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBmnCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQn0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PYVkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b89c82;
path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d]
Transfer-Encoding[chunked]
Via[1.1 vegur]
17:56:37.841[603ms][total 603ms] Status: 302[Found]
GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[dashboard.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
_my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af37490991f3a343d1126f2e451efbf7744c0f9a;
__utmb=148535982.65.9.1411228524365;
user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5pYkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZYUk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJIVmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwyVUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZIWm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBtTjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09WVTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVGWVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIwOVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hVVkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2NscFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpqYkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01rNU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dyY25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNtMXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzltTTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFrUTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWREbHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01HaGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pOWkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZmNmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c8221d606e59d0e41c5571aa3ef06;
dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc;
_ga=GA1.3.181049422.1411214008;
__utma=155166509.181049422.1411214008.1411228144.1411228144.1;
__utmb=155166509.7.10.1411228144; __utmc=155166509;
__utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/new;
visitor_id36622=273629684; flash=%7B%7D]
Connection[keep-alive]
Response Header:
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:48 GMT]
Content-Type[text/html; charset=utf-8]
Transfer-Encoding[chunked]
status[302 Found]
Strict-Transport-Security[max-age=31536000]
Location[https://dashboard.heroku.com/login]
Cache-Control[must-revalidate, no-cache, no-store, private]
Pragma[no-cache]
Expires[0]
X-Frame-Options[SAMEORIGIN]
x-ua-compatible[IE=Edge,chrome=1]
Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c148efa8ef6adb5a004d99;
path=/; secure; HttpOnly]
x-request-id[5e276c4f-1382-4328-ae95-b87a73376089]
x-runtime[0.006972]
x-rack-cache[miss]
Via[1.1 vegur]
17:56:39.215[207ms][total 207ms] Status: 304[Not Modified]
GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime
Type[application/x-unknown-content-type]
Request Header:
Host[dataclips.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
_session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9rS2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1laWTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZMjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFyY0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1TysvaHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZwZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9lUU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRyNnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQreGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pLZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f620fe024be3e5610f3af2885c5b2758b30cffbf;
__utmb=148535982.65.9.1411228524365]
Connection[keep-alive]
If-None-Match["015d655373394c49a35217e89173847e"]
Response Header:
Content-Length[0]
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:49 GMT]
status[304 Not Modified]
Strict-Transport-Security[max-age=31536000]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
X-Frame-Options[SAMEORIGIN]
Etag["015d655373394c49a35217e89173847e"]
Cache-Control[max-age=0, private, must-revalidate]
Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77;
path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly]
x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359]
x-runtime[0.027082]
Via[1.1 vegur]
17:56:48.969[192ms][total 192ms] Status: 304[Not Modified]
GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime
Type[application/x-unknown-content-type]
Request Header:
Host[dataclips.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://dataclips.heroku.com/]
Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103;
_ga=GA1.2.181049422.1411214008;
__utma=148535982.181049422.1411214008.1411216956.1411228016.3;
__utmc=148535982;
__utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases;
optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1411214007860r0.1948891553088572;
optimizelyBuckets=%7B%7D;
_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77;
__utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D]
Connection[keep-alive]
If-None-Match["809917d3d9ac788b43864dd9470788d6"]
Response Header:
Content-Length[0]
Connection[keep-alive]
Server[nginx/1.5.7]
Date[Sat, 20 Sep 2014 15:56:59 GMT]
status[304 Not Modified]
Strict-Transport-Security[max-age=31536000]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
X-Frame-Options[SAMEORIGIN]
Etag["809917d3d9ac788b43864dd9470788d6"]
Cache-Control[max-age=0, private, must-revalidate]
Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVvekVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUWGZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZWE9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZkl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2bmJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93SkVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsNURYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8;
path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly]
x-request-id[433e3190-bc29-4192-9a61-90754e41bb44]
x-runtime[0.029809]
Via[1.1 vegur]
Reference(s):
https://dataclips.heroku.com/
https://dataclips.heroku.com/clips/new
https://postgres.heroku.com/databases
-
https://dashboard.heroku.com/account
https://dashboard.heroku.com/login
https://id.heroku.com/logout
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure proof of the dataclip and postgres
service values that are processing to use the login credentials.
The service needs to process expired sessions through all portal in the same or
next request without allowing to access separtly requested section with the
expired session credentials.
Security Risk:
==============
The security risk of the re-auth session bypass vulnerability in the dataclip
and postgres information page is estimated as high. (CVSS 6.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt