A proof-of-concept app demonstrating a (patched) CSRF attack on Heroku's SSO for add-on providers.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
Gemfile
Gemfile.lock
Procfile
README.md
app.rb
config.ru

README.md

kensa create my_addon --template sinatra

this repository is a sinatra template application for use with the Heroku kensa gem

clone it via:

> gem install kensa
> kensa create my_addon --template sinatra
> cd my_addon
> bundle install
> foreman start

In a new window:

> cd my_addon
> kensa test provision
> kensa sso 1

And you should be in a Heroku Single Sign On session for your brand new addon!

Current status:

  • deprovision - working
  • provision - working
  • planchange - working
  • GET SSO - working
  • POST SSO - working