Sub Domain Takeover Tip

This tip is for users that want to learn how to actually demo to a company how someone could misuse a heroku Domain Takeover I found this again inside one of my settings of a companies Domain I just reported

Customizing your maintenance page

You can specify a custom maintenance page for your app by setting the following config var:

You will see this typically running aquatone-takeover

Potential domain takeover detected!
Service…: Heroku
Service website:
Resource…: CNAME

you can do this

heroku config:set MAINTENANCE_PAGE_URL=//<your_bucket>/your_maintenance_page.html

this will allow you to turn maintenance mode on for the app you claim the domain for and serve a static page which if you are trying to demo impact to a company this is where someone could be phished if it was a question about severity this will take that report up a bit to where you may land a bounty like this

give it a try I do not want to spoil things for you get a heroku go get yourselves some bounties!

I have never been paid for this and wish I had found the Starbucks one first lol
but either way its a cool trick to actual host a page via heroku domain takeover

this is typically what I will demo to show a person its vuln you can set that through the MAINTENANCE_PAGE_URL like I showed above

I recommend only showing the page after asking although not illegal could pose a copyright issue if you squat a domain belonging to another.