Xss via dns

delfinom

From reddit:
[s]http://who.is/dns/jamiehankins.co.uk[/s] (Fixed now)
Next site that is vulnerable!
http://mxtoolbox.com/SuperTool.aspx?action=txt%3Ajamiehankins.co.uk&run=toolpage
Edit, another site!

SSL Checker for Comodo, Symantec, Thawte, DigiCert, GeoTrust, & RapidSSL

http://www.reddit.com/r/programming/comments/2gs2c3/dns_txt_record_xss/

tarunik

Now that is something to behold.

Matches

Nice. Now profile it using google analytics in the DNS text/script.

chubertdev

Isn't that SOP for ISPs these days?

Maciejasjmj

@tarunik said:

Now that is something to behold.

Needs more fa-spin.

presidentsdaughter

Oh boy...
http://mxtoolbox.com/SuperTool.aspx?action=txt%3Ajamiehankins.co.uk&run=toolpage# is worse even.. It seems each time a new instance is added to the page, making it slowing to a crawl

Arantor

It would appear to have been fixed now though...?

blakeyrat

The title is pretty misleading here. It's just Yet Another Website Doesn't Sanitize Freeform User Input bug. Nothing inherent in the DNS system.

Arantor

Correct, but the delivery method - via DNS - is definitely unusual. I wonder how many WHOIS sites are actually vulnerable.

delfinom

It's not misleading. I said via.

Webster dictionary defines via as:
1
: by way of
2
: through the medium or agency of;

Definition of VIA

by way of; through the medium or agency of; also : by means of… See the full definition

If I said XSS IN DNS, then that's misleading.

delfinom

Fun fact, who.is is using PHP. You can confirm this by going to "index.php" and getting their search page but if you type index2.php you get a 404 error.

So somebody learned:

1. Never trust any input
2. What is htmlentities?

delfinom

O look at that, an SSL cert site is vulnerable

SSL Checker for Comodo, Symantec, Thawte, DigiCert, GeoTrust, & RapidSSL

Arantor

@delfinom said:

Fun fact, who.is is using PHP. You can confirm this by going to "index.php" and getting their search page but if you type index2.php you get a 404 error.

So somebody learned:

1. Never trust any input
2. What is htmlentities?

I'd settle for htmlspecialchars() personally, don't need to wrangle everything into entities.

Matches

Youtube for posterity

Matches

Confirmed:

WHOIS & DNS Lookup / WhatsMyIP.org

Run WHOIS lookups on hosts, and look up DNS Records.

Look up server | lookupserver.com

http://www.dns-query.net/

InfoByIP.com

DNS lookup

http://www.whatsmyip.us/txt

DNS Record Viewer - A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT

DNS Lookup, NS, CNAME, TXT and MX Record Lookup

(Suspected, strips the javascript tag and PHP tags)

NsLookup Online Tool - DNS Lookup Tool

NsLookup Online Tool - DNS Lookup Tool. Free online tool to Look up DNS IPv4, IPv6, NS, MX, CNAME, SOA, PTR, SRV, TXT Records.

DNS Lookup

Penetration testing tools – full list at Pentest-Tools.com

Access 20+ online pentesting tools on one platform! Explore the ready-to-use security testing & vulnerability assessment tools on Pentest-Tools.com.

DNS Lookup Tool - Find DNS A, MX, CNAME, NS Records

DNS Record Query - DNSQuery

also vulnerable.

Matches

So it looks like MX tried to fix it... but they've actually just leaked shit all over the place.

http://mxtoolbox.com/SuperTool.aspx?action=txt%3Ajamiehankins.co.uk&run=toolpage

Matches

Bumping this, because several of these sites are still vulnerable.