SkullSecurity ≫ Blog Archive ≫ Stuffing Javascript into DNS names(情報元のブックマーク数)

ちょっと笑ったwwwwDNSのTXTエントリやエントリ自体にXSSのコードを設定とか。

Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don't have access to, this can trigger stored cross-site scripting in some pretty nasty places. But I'll get to that!
Interestingly enough, between the time that I wrote this blog/tool and published it, nCircle researchers have said almost the same thing (paper (pdf)). The major difference is, I released a tool to do it and demonstrate actual examples.

Stuffing Javascript into DNS names » SkullSecurity

screenshot