This is cache of http://ha.ckers.org/blog/20071230/xss-on-whois/. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
XSS on Whois
2007-12-30 20:55:53 by RSnake in ha.ckers.org web application security lab
 

Klaus over on Blackhatdomainer described on his blog the use of XSS in whois information to take over domains when people are researching your domain. Very cool stuff. I have a feeling there are also servers that may be vulnerable to SQL injection as well, but that’s probably much more difficult and dangerous to test. Dotster was apparently vulnerable to this, but we didn’t have a working PoC.

However, Thrill then posted an screenshot of this on one of the several domain registrars that we found to be vulnerable to this. So now we proof that this can be done. Of course the usefulness of this is probably limited to only a few sites, but sites which often take credit card information for payment processing of domains. Which, obviously, has some usefulness for phishing. Anyway, pretty interesting stuff!

 
Tags: apparently vulnerable, vulnerable, credit card information, domain, cool stuff, domain registrars, stuff, usefulness, sql injection
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia