Image

Image

"Using this vulnerability I could perform any action as the GoDaddy customer rep. This is a bad deal because GoDaddy representatives have the ability to do basically anything with your account. On other support calls with GoDaddy my agent was able to do everything from modifying account information, to transferring domain names, to deleting my account altogether."Bryant notified GoDaddy of the flaw in late December of 2015. It took about four months for the domain registrar to patch the vulnerability. Blind XSS vulnerabilities are often missed, reveals Bryant, because pentesters assume they will fire in their browsers when in actuality they might fire in other places. To adequately remediate for XSS, the researcher recommends that site owners prevent the payloads from being stored:
"When you do proper output encoding, you have to do it on every system which pulls data from your data store. However, if you simply ensure that the stored data is clean you can prevent exploitation of many systems because the payload would never be able to be stored in the first place."News of this discovery comes just a few months after Yahoo Mail awarded $10,000 to a security researcher for finding a stored XSS flaw.