Pingdom Website Speed Test DOM based XSS
Hello all, this is my first blog post in English and my first blog post in the last 3 years, so be nice :)
Recently I found a very interesting DOM based XSS in one of the Pingdom’s services.
The service is Pingdom Website Speed Test .
I’m certain that all of you use/used it sometimes. What makes it interesting you may aks? Well the the input that was later executed in DOM was a site’s response header.
The following header was used for testing purposes:
Frankly I was really surprised when the payload executed on mouse over.
Here is a video:
This issue was reported and Pingdom did deploy a fix, the fix included creating data in text nodes from site’s response headers.
So remember you can find a XSS by testing the strange and unexpected user inputs. Stay safe!
Note: I use a FF black theme because the white color hurts my eyes, not because I’m some u83r l33t h4xor :P
3 thoughts on “Pingdom Website Speed Test DOM based XSS”
Hello! Quick question that’s entirely off topic. Do you know
how to make your site mobile friendly? My blog looks weird when viewing from
my iphone 4. I’m trying to find a template or plugin that might
be able to resolve this problem. If you have any suggestions, please share.
Hello there, if you are using wordpress I can recommend this theme: http://themeforest.net/item/throne-personal-blogmagazine-wordpress-theme/8134834
Hi you found another Dom xss in duckduckgo.
How did you find endpoint norw in this post.