Predrag Cujanović


Pingdom Website Speed Test DOM based XSS

Hello all, this is my first blog post in English and my first blog post in the last 3 years, so be nice :)

Recently I found a very interesting DOM based XSS in one of the Pingdom’s services.

pingdom dom xss

The service is Pingdom Website Speed Test .

I’m certain that all of you use/used it sometimes. What makes it interesting you may aks? Well the the input that was later executed in DOM was a site’s response header.

The following header was used for testing purposes:

X-XSS-Test: <script>alert(document.domain);</script>

Frankly I was really surprised when the payload executed on mouse over.

Here is a video:

This issue was reported and Pingdom did deploy a fix, the fix included creating data in text nodes from site’s response headers.

So remember you can find a XSS by testing the strange and unexpected user inputs. Stay safe!

Note: I use a FF black theme because the white color hurts my eyes, not because I’m some u83r l33t h4xor :P

3 thoughts on “Pingdom Website Speed Test DOM based XSS

  1. Hello! Quick question that’s entirely off topic. Do you know
    how to make your site mobile friendly? My blog looks weird when viewing from
    my iphone 4. I’m trying to find a template or plugin that might
    be able to resolve this problem. If you have any suggestions, please share.

    Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *