Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Blind XSS Vulnerability Allowed Compromise of GoDaddy Support

Blind XSS Vulnerability

Blind XSS Vulnerability

Almost four months after disclosing a blind cross-site scripting (XSS) vulnerability to GoDaddy, researcher Matthew Bryant has published details on the vulnerability – because GoDaddy has finally fixed it.

Blind XSS flaws are so called because the researcher, pentester, or attacker doesn’t know when or where they might take effect. “To make a physical comparison,” writes  Bryant, “blind XSS payloads act more like mines which lie dormant until someone triggers them.” This is because the payload is triggered and has effect in a different location to its delivery.

In this particular example, Bryant had noticed that his first and last names could be set on GoDaddy to an XSS payload. He entered his standard payload to both – and then forgot about them.

At a later date he contacted GoDaddy support in order to transfer one of his domains to a different registrar. Two things happened simultaneously: the GoDaddy support “appeared to be having trouble looking up my account due to their systems ‘experiencing issues’.”

At the same time, his mobile phone vibrated to indicate two emails in quick succession. These were notifications from XSS Hunter that his XSS payloads had been triggered – obviously by the support staff trying to access his account details. Although the payload was set in his account details, it was triggered and took effect on the web page used by the support staff.

This is a big deal, notes Bryant. Had he been an attacker, he could have performed any action available to the support staff, including modifying accounts, transferring domains or deleting the account altogether. “In a real attack scenario, the next step for exploitation would be to inject a proper BeEF hook into the agent’s browser to ride their session (using XSS Hunter’s JavaScript chainload functionality) and use the support website as them.”

Blind XSS flaws are easier to prevent during coding than to detect during testing. This is because they depend upon two flaws in different locations: one to enter the payload and another to trigger it. Independent pentester Robin Wood (DigiNinja) explains that he can test for blind XSS only where he gets access to both front and backend systems, “and can test directly by bouncing between the two.” Where he doesn’t get complete access, he explains to the client “what XSS is, and tell them to look out for unusual things happening in the admin suite or other areas while they are using.”

Advertisement. Scroll to continue reading.

Wood also notes that there are other ‘blind’ attacks, “for example when input is batch processed at the end of the day and remote command execution attack that has been entered earlier gets triggered; or where SQL injection happens in a third party application caused by data that was originally intended to test the primary app.”

Some of these can be difficult to find because of the scope of work and the time available to the tester. “Data entered on the 1st of the month may not be processed till the month after, well after the test window has closed and the tester moved on to the next job.”

Fixing the flaws, he suggests, is relatively easy; but the time required will depend “on the processes the developers or admins have to go through and can take between hours and weeks and sometimes never happens at all.”

It took GoDaddy at least four months. We don’t know exactly how long because when Bryant reported it, he was told that GoDaddy already knew about it. The timeline he provides in his post indicates that it may have taken much longer had he not felt obliged, eventually, to threaten to go public. 

On 11 April, he wrote to GoDaddy, “I’m moving my domains off of GoDaddy this week (since they could all be stolen/accessed using this issue) but for other GoDaddy users this is still outstanding critical issue that affects them. I’ve waited over three months so far for a fix so I feel giving this one more month until public disclosure takes place is fair.” Two weeks later it was fixed.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...