This is massive. I wonder why no one has ever posted this somewhere.
Most domain registrars (have yet to find one that does) will not filter what you put on your REGISTRANT CONTACT INFO and WILL allow the script tag! Just try for yourself and rebaptize yourself as : John <script>alert("Black Hat Domainer")</script>
As you know, being able to run scripts, the sky is the limit. You can be a hacker and steal document.cookie to hijack a session to get complete access to another domainer account or be a nice guy and put an entire cool game on your registrant contact info.
Keep in mind you will be injecting your own page, so you better use it to more harmless stuff like logging people’s visits.
Who is vulnerable? Many, many whois info grab pages, including Whois.net or registrar Dynadot.com.
Update: Dynadot fixed the xss, after some fuzz on some well known domainers forums. Others are still vulnerable.
Last, but not least, it’s not everyday you receive such a nice compliment from one of the top gurus ever!
Thanks RSnake!
Just wanted to give some props for some more blackhats on Sphinn. Glad to see yall showin up all of a sudden.
You’ll get more votes on sphinn with there little voting badge. Helped me a lot. But it’s still really hard to rank w/ blackhat topics. I’m considering trying to get some kids from the BH forums on there though…
wow, xss on whois. that’s really genious .
Congrats for discovering it.
Eliena
I’ve found this similar problem on my country domain registrars some month ago, but now it’s patched
This only affects people who use web interfaces for whois. Your good old terminal is -of course- not affected. Clever idea, but not too harmful imho.