Cross-site Scripting via WHOIS and DNS Records

On a whim, I tossed this into the address field of the registrant data of a domain so it’d appear in whois records: <script>alert(1);</script>. I figured, what the heck, let’s toss it in a DNS TXT record as well. Nothing new or novel. Nothing clever. Nothing remotely interesting… but endlessly entertaining.

XSS via domain.me’s WHOIS lookup tools

XSS via dnslookup.online’s DNS lookup tool

XSS via kdmarc.com’s DNS lookup tool

XSS via network-tools.com WHOIS lookup tool

Thank you for coming to my TED talk. More info here: https://www.tenable.com/security/research/tra-2020-64