Pingdom Website Speed Test DOM based XSS
Hello all, this is my first blog post in English and my first blog post in the last 3 years, so be nice :)
Recently I found a very interesting DOM based XSS in one of the Pingdom’s services.
The service is Pingdom Website Speed Test .
I’m certain that all of you use/used it sometimes. What makes it interesting you may aks? Well the the input that was later executed in DOM was a site’s response header.
The following header was used for testing purposes:
X-XSS-Test: <script>alert(document.domain);</script>
Frankly I was really surprised when the payload executed on mouse over.
Here is a video:
This issue was reported and Pingdom did deploy a fix, the fix included creating data in text nodes from site’s response headers.
So remember you can find a XSS by testing the strange and unexpected user inputs. Stay safe!
Note: I use a FF black theme because the white color hurts my eyes, not because I’m some u83r l33t h4xor :P
Hello! Quick question that’s entirely off topic. Do you know
how to make your site mobile friendly? My blog looks weird when viewing from
my iphone 4. I’m trying to find a template or plugin that might
be able to resolve this problem. If you have any suggestions, please share.
Many thanks!
Hello there, if you are using wordpress I can recommend this theme: http://themeforest.net/item/throne-personal-blogmagazine-wordpress-theme/8134834
Cheers! :)
Hi you found another Dom xss in duckduckgo.
https://hackerone.com/reports/868934
How did you find endpoint norw in this post.