WHOIS Cross-site Scripting
Gunter Ollmann, January 4th, 2008

There’s been a little fuss over a recent posting concerning the threat of WHOIS cross-site scripting. To get your attention, it starts with “This is massive.”

Now don’t get me wrong, there is a threat, but it is marginal – and I’ll explain why in a little bit.

What’s all the fuss about? Basically, when you register a new domain name (or manage an existing domain name), you are required to supply certain details – in particular administrative contact details. Unfortunately, a lot of interfaces for inputting these details allow you to not only supply standard text and numeric data, but also extended characters that could be interpreted in HTML and, more dangerously, as client-side executable scripts. Ideally, the domain registrars or the ISP Web site supplying the WHOIS records should have scrubbed these non-alphanumeric characters from the data that gets presented back to users that conduct the WHOIS query.

Is it new?

The problem has been around for a long time – in fact it pretty much tracks back to the dawn of the modern Internet. However, given some of the responses related to the posting, it has surprised quite a few people.

Most ISP’s have been aware of the problem for quite a few years. Their original concerns came from domain registrants that had included HTML hyperlinks within their address details and how that often broke the formatting of their Web-based query portals. Some of these ISP’s implemented limited scrubbing techniques – but in general most haven’t, because it wasn’t perceived as a real problem – more of an inconvenience.

Ideally, any (final) sanitization of the registration data should be done the root registrars themselves (e.g. Verisign for .com) – thereby reducing the requirement for all ISP’s and other WHOIS query responders to implement their own data sanitization processes. Why hasn’t been done? – I’m not sure, but it may be because some people expect to be allowed to use hyperlinks in their registration details, or it may be to allow for some additional complexities of non-Roman alphabet languages.

Things have moved on a bit though. Cross-site scripting (XSS) has been getting a lot more attention in recent years and there’s plenty of how-to’s to launch a damaging attack against desktop users. Today XSS is regularly used in drive-by-malware (drive-by-download) attacks. Therefore the threat of remote compromise due to allowing non-alphanumeric data is something that many have never had to counter before.

Massive or not?

Is this “massive”? No – not by a long shot. It is important that ISP’s and registrars work to improve the situation though. In the past, when employed to pentest new customer portals for various ISP’s and Telco’s, XSS vectors through their WHOIS lookup interfaces have been discovered – but once they were made aware of what the threat was they responded with fixes pretty quickly.

Two important aspects to evaluating the risk of this threat are to understand who is vulnerable to attack and what the likelihood of success is.

The possible victims of WHOIS-based XSS are those that regularly lookup WHOIS domain registration details online through query portals. By my own estimates, this is only a small volume of surfers worldwide – and are probably more of the techie-administrator or paranoid-security persuasion than anything else.

I believe that the likelihood of successful compromise is “average”; as in the XSS vector is proven to be viable for drive-by-malware installation (and there are plenty of online examples showing how to do this), the ability to use non-alphanumeric characters in registration details is an acknowledged weakness, however every portal that displays WHOIS data does it slightly different, and there is no guarantee that the same XSS attack code will work over multiple portals.

There may be some risk to internal processes used by the ISP's working with the registrants if they rely on Web-enabled applications to view and edit the data - particularly for billing systems.  These second-order attack vectors are much more complex to perform successfully.

Threat – fact or fiction?

Like I said at the start – yes, it is a threat but, in the grand scale of Internet threats, it’s minor – and not the straw to break the camel’s back.

The threat would be much more significant if someone came up with a flaw in the WHOIS software found on most systems (i.e. accessed through the command prompt), and used in many automated server processes at ISP’s and businesses to monitor domain registrations. If it could be exploited through data within the domain registration details, that could be a significant threat.


    Copyright 2001-2008 © Gunter Ollmann