Whois XSS

Posted by k | Posted in Uncategorized | Posted on 02-12-2007

This is massive. I wonder why no one has ever posted this somewhere.

Most domain registrars (have yet to find one that does) will not filter what you put on your REGISTRANT CONTACT INFO and WILL allow the script tag! Just try for yourself and rebaptize yourself as : John

As you know, being able to run scripts, the sky is the limit. You can be a hacker and steal document.cookie to hijack a session to get complete access to another domainer account or be a nice guy and put an entire cool game on your registrant contact info.

Keep in mind you will be injecting your own page, so you better use it to more harmless stuff like logging people’s visits.

Who is vulnerable? Many, many whois info grab pages, including Whois.net or registrar Dynadot.com.

Update: Dynadot fixed the xss, after some fuzz on some well known domainers forums. Others are still vulnerable.

Last, but not least, it’s not everyday you receive such a nice compliment from one of the top gurus ever!

Thanks RSnake!

Comments (13)

  1. Just wanted to give some props for some more blackhats on Sphinn. Glad to see yall showin up all of a sudden.
    You’ll get more votes on sphinn with there little voting badge. Helped me a lot. But it’s still really hard to rank w/ blackhat topics. I’m considering trying to get some kids from the BH forums on there though…

  2. wow, xss on whois. that’s really genious .
    Congrats for discovering it.
    Eliena

  3. I’ve found this similar problem on my country domain registrars some month ago, but now it’s patched :P

  4. This only affects people who use web interfaces for whois. Your good old terminal is -of course- not affected. Clever idea, but not too harmful imho.

  5. [...] Last night one of my friend, Robin showed me this link : http://www.blackhatdomainer.com/whois-xss/ (and I also found this on RSnake’s Blog) [...]

  6. [...] Last, but not least, it’s not everyday you receive such a nice compliment from one of the top gurus ever! Quelle [...]

  7. [...] ile ilgili sla.ckers forumu için şu linki, orjinal blog postu için ise bu linki [...]

  8. [...] Here’s a very nice XSS find by Klaus: [...]

  9. [...] todėl ir nusprendėme apie tai parašyti mūsų dienoraščiuose. Daugiau nei prieš mėnesį Blackhatdomainer savo tinklalapyje parašė apie XSS pažeidžiamumus DNS serveriuose vykdant ‘whois’ [...]

  10. [...] Whois XSS Hack – für XSS-Fans [...]

  11. [...] ile ilgili sla.ckers forumu için şu linki, orjinal blog postu için ise bu linki [...]

  12. [...] You would think that it’s safe to assume the url in your address bar is the real url to the real site you’re looking at. Think again. Domains can be faked, even whois info can be spoofed using xss exploits, similar to the one posted by Klaus [...]

  13. [...] night one of my friend, Robin showed me this link :http://www.blackhatdomainer.com/whois-xss/ (and I also found this on RSnake’s [...]

Post a comment