Dnsxss

From SkullSecurity
Revision as of 04:27, 21 February 2010 by Ron (talk | contribs) (New page: This tool is designed for testing sites that display dns records against cross-site scripting attacks. I discovered that the majority of servers that print, for example, MX records for a g...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This tool is designed for testing sites that display dns records against cross-site scripting attacks. I discovered that the majority of servers that print, for example, MX records for a given domain don't filter the responses before displaying them. This allows an attacker to return arbitrary text, including html characters, to all replies. Requests that don't allow text, like A and AAAA, are replied to with localhost (127.0.0.1 or ::1).

This tool assumes that the authoritative record for a DNS server points to you. You can check if you do either by running 'dnsxss --test <domain>' or by using the 'dnstest' program directly.

Although there isn't really an avenue for doing a cross-site scripting attack against A or AAAA requests, they still return a valid result. Both return localhost by default, but can be configured to return any address you want, making this, technically, a legitimate (but limited) DNS server.

Technically, there's nothing stopping this tool from attempting other attacks, such as SQL injection, but I haven't tried testing those yet.