Sign in to follow this  
Followers 0
systems_glitch

XSS via DNS

3 posts in this topic

Apparently someone else thought about this a few years ago, but I was working on my Dynamic DNS project last night and thought, how many websites grab DNS or reverse DNS information and just pass it to the browser, unescaped? Apparently nonzero:

 

https://dig.whois.com.au/dig/hax.bv.theglitchworks.net

 

Click the button :)

 

The following site works for both forward lookup on hax.bv.theglitchworks.net and reverse lookup on 2001:470:1f07:b75::1337

 

http://www.webdnstools.com/dnstools/dns-lookup-ipv6

 

Another example of how no external data should ever be trusted!

1

Share this post


Link to post
Share on other sites

I didn't get it either. I usually don't click on Glitch's links, though.  ;-)

0

Share this post


Link to post
Share on other sites

Oh, I've taken the DNS record out by this point.

 

Basically, there are things out there that treat DNS records like they're always clean text that can just be shoved into whatever without sanitizing. I'd set up a DNS resource record that did Javascript XSS in the browser when a particular DNS record was displayed.

 

The rDNS on 2001:470:1f07:b75::1337 is still present, if you go to the tool in the second link and paste in that address in the IPv6 rDNS lookup, you'll see a bold hi! on your screen. I'll set up the hax.bv.theglitchworks.net address again if you guys want to see how that works.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0