Skip navigation

Category Archives: XSS

Google offers an application security education page about XSS.  If you’re new to it, or just want to get more in-depth and determine how to mitigate it, give it a read.

https://www.google.com/about/appsecurity/learning/xss/

XSS Hunter looks like a promising project.  By allowing for users to own a custom subdomain dedicated to hosting XSS callbacks, it offers a clean, user-friendly interface for probing pages with XSS.  It allows for easy fingerprinting of targets and organizes all of the information, to help keep track of which pages are vulnerable and what types of info they yield.  I’m very excited to see where this goes.

https://xsshunter.com/features

“…the issue was that the GoDaddy customer support application pulled data from a shared database that my XSS payload was stored in and then reflected it insecurely into the page – causing this XSS vulnerability.”

https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/

An InfoSec researcher was playing around when registering his GoDaddy account and set his name to a Cross-Site Scripting payload, as a joke.  Months later, there was an issue that required contacting GoDaddy’s support line, but it soon became apparent that the “joke” would actually allow a malicious actor to take control of any GoDaddy support representative’s session and do anything with their permissions.

TL;DR: Read the page, it’s short and to-the-point