Hacker News new | past | comments | ask | show | jobs | submit login

An XSS vulnerability on a dotless domain can lead to XSS on the entire tld. See top level universal XSS[1]

[1]https://superevr.com/blog/2012/top-level-universal-xss/




Here's the best part -- these websites are built terribly and are very open to this sort of thing.

After about 2 minutes of looking, I've just found that nic.io (or just io.) basically lets you type arbitrary html into the search boxes. Chrome's built in XSS auditor catches any scripts you put in there, but (at least) Firefox doesn't.

Check it out:

http://io./cgi-bin/whois?query=%3Ca%20href=%22%22%3E%3Cu%3EA...

If you load it in Firefox (or any browser without an XSS auditor) it'll pop an alert, otherwise you'll just see the image I loaded and a link I inserted.

This is ridiculous.


I attempted to notify them of this, but their contact form validator rejects anything I put into it. The whole site is a mess.


Contact the ccTLD compliance (!!) team at ICANN; http://www.icann.org/en/resources/compliance/cctld


Thanks for the link.

According to the article, the problem is local to Internet Explorer though.

Essentially, if "intranet" mode is enabled and a website is hosted locally, IE will ignore browser same-origin policy. So a script from http://networkmachine can access all your cookies.

IE hate is very outdated, but the fact that a website hosted locally can have access to all the data the browser stores is mind-boggling. A nondescript dialog is all that stands to protect users.


And that's why we have http://publicsuffix.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: