The Vulnerability Of Blind XSS Permitted To Compromise of GoDaddy Support

The Vulnerability Of Blind XSS Permitted To Compromise of GoDaddy Support

Approximately after four months revealing a blind cross-site writing (XSS) vulnerability to GoDaddy. Even researcher Michael Bryant has published the details on the vulnerability – because GoDaddy has lastly patched it.

Blind XSS defects are so called because the researcher, pentester, or hacker does not know when or where they might bring result. Bryant writes that "To make a physical comparison blind XSS payloads act more like mines which lie dormant until someone triggers them."  And this is done because of the payload is activated and also has outcome in a location to its delivery.

In this specific example, Bryant had observed that his first as well as last names that could be set on GoDaddy to an XSS payload. He enters his typical payload to both as well as then fail to remember about them.

At a later date, he makes contact with GoDaddy support in order to transmit one of his domains to a different registrar. And there are two things occurred at the same time: the first one is that the GoDaddy maintain "appeared to be having trouble looking up my account due to their systems 'experiencing issues'."

Whereas at the same time his mobile phone is vibrated to indicate two emails in quick succession. These were announcements from XSS Hunter that his XSS payloads had been generated – apparently by the support staff was trying to access the details of his account. But the payload was set in his account details and it was produced and it took the result on the web page that is used by the support staff.

Bryant notes that this is a big deal. Had he been an attacker and he could have worked any action which is existing to the support staff, as well as modifying the accounts, transferring the domains or removing the account altogether. "In a real attack scenario, the next step for exploitation would be to inject a proper BEEF hook into the agent’s browser to ride their session (using XSS Hunter’s JavaScript chain load functionality) and use the support website as them."

The defects of Blind XSS are simpler to protect during the coding than to distinguish during the testing process. This is possible because of they depend on upon two defects in various locations: one is used to enter the payload and the second one is used to activate it. 

Autonomous pentester Robin Wood describes that he can test for blind XSS only where he obtains the access to both front as well as backend systems, "and can test directly by bouncing between the two." And where he does not get full access and then he describes to the client "what XSS is, and tell them to look out for unusual things happening in the admin suite or other areas while they are using."

Wood also observes that there are another 'blind' attacks that "for example when input is batch processed at the end of the day and remote command execution attack that has been entered earlier gets triggered; or where SQL injection happens in a third party application caused by data that was originally intended to test the primary app."

Some of these can be hard to find due to the capacity of work as well as because of the available time to the tester. "Data entered on the 1st of the month may not be processed till the month after, well after the test window has closed and the tester moved on to the next job."

He suggests that patching the flaws that are relatively simple but the necessary time will depend "on the processes the developers or admins have to go through and can take between hours and weeks and sometimes never happens at all."

It obtains from GoDaddy at least four months. Precisely we do not know that how long it is because when Bryant reported it then he was informed that GoDaddy already knew about it. The timeline which he offers in his post point out that it may have to obtain much longer had he not felt thankful, eventually, to make threats to go public.  

He wrote to GoDaddy on 11 April that "I'm moving my domains off of GoDaddy this week (since they could all be stolen/accessed using this issue) but for other GoDaddy users this is the still outstanding critical issue that affects them. I've waited over three months so far for a fix so I feel giving this one more month until public disclosure takes place is fair." Two weeks later it was attached.