This blog post is about Cross-Site Scripting (XSS) vulnerability found on the secure page of GoDaddy.
While pen testing in wide scope for a client I found a subdomain as files.example.com. Opening in browser results as shown below
After that, I ran a Burp Suite auto scan over it, and the reflector (a Burps Suite extension) showed that some inputs got reflected in the response.
Now it’s time to find a vulnerability for script injection. After analyzing the suspicious parameter, I found a possible way for the execution of JavaScript code and was finally able to execute it as shown below. The vulnerable URL looks like: http://files.example.com/index.php/”onmouseleave=”alert(‘XSS’)”
But wait, what is the use of this webpage, and who added this subdomain? Checking the CNAME of this subdomain, I found that it belongs to Godaddy.
As a service provider, Godaddy must have thousands of clients using this service (probably the file-sharing feature), and all of them are vulnerable to the Cross-Site Scripting (XSS) vulnerability. To verify this, I thought of using simple Google Dork to find similar web pages.
However, this is not the appropriate way, hence I discussed with @smaranchand possible ways of gathering all the subdomains on the internet that are using files.secureserver.net as CNAME in their DNS records. He came up with the idea of using Silent Push. We used reverse CNAME lookup to find affected domains for the XSS vulnerability and found that around 13,092 domains were vulnerable. This is a very large number of vulnerable systems that we can impact with a vulnerability.
After confirming the vulnerability on a few subdomains, I decided to notify GoDaddy security and email them a detailed proof of concept using their email [email protected]. However, they didn’t respond until. To my surprise, the vulnerability has been patched by them. After a few searches, I also came to know that the same vulnerability had previously been reported by turbobarsuchiha. She also did not receive any reasonable response from GoDaddy and decided to post on her blog.
Lesson Learned:
- Always monitor third-party DNS entries and hosted applications for possible threats and vulnerabilities.
- Never exclude static pages for security testing.
- Examine each issue generated by Burp Suite manually.