When your carrots try to fight you!
Was doing a bit of rabbitholin' when I came across an interesting looking domain: n0rb3r7.com. The domain was registered using Cross-Site-Scripting (XSS) techniques for some of the WHOIS information. This creates a nice WATERHOLE type attack vector when users query public WHOIS LOOKUP websites and get back rendered JAVASCRIPT packed with goodies. Below are some of the sites we observed not validating/sanitizing output for their users (excluding ICANN which is safe for now). Doh!
NIBBLET: Appears to be the work of a 'Chase Miller'. Well played sir...
https://hackerone.com/n0rb3r7?sort_type=latest_disclosable_activity_at&filter=type%3Aall%20from%3An0rb3r7&page=1&range=forever
ICANN Whois Lookup for 'n0rb3r7.com':
https://hackerone.com/n0rb3r7?sort_type=latest_disclosable_activity_at&filter=type%3Aall%20from%3An0rb3r7&page=1&range=forever
ICANN Whois Lookup for 'n0rb3r7.com':
(NOTE: Safe to View / NO XSS rendered!)
 |
| https://whois.icann.org/en/lookup?name=n0rb3r7.com |
UNSAFE WHOIS RESULTS FOR 'n0rb3r7.com':
(NOTE: XSS IS LIVE! THESE CARROTS WILL ATTACK!)
1. WHOIS.COM - hXXps://www[.]whois[.]com/whois/n0rb3r7.com
-----------------------------------------------------------------------------
2. WA-COM.COM - hXXp://wa-com[.]com/n0rb3r7.com
3. TUCOWS - hXXp://www[.]tucowsdomains[.]com/whois
-----------------------------------------------------------------------------
4. WHOISOLOGY - hXXps://whoisology[.]com/n0rb3r7.com
-----------------------------------------------------------------------------
5. DNSSTUFF --
hXXp://www[.]dnsstuff[.]com/tools#whois|type=domain&&value=n0rb3r7.com
-----------------------------------------------------------------------------
6. PUREWHOIS - hXXps://www[.]purewhois[.]com/index.php
-----------------------------------------------------------------------------
7. WHOISXMLAPI --
hXXps://www[.]whoisxmlapi[.]com/?domainName=n0rb3r7.com&outputFormat=xml
No comments:
Post a Comment