The thing is that some tools like to show you the contents of the header, to tell you what server the site is using. That's also the case of Whois listing at DomainTools, the service I've been using quite often, not only because I can remember the shortcut:
whois.sc/<domainname> (Whois Source) but also because it offers links to other rather useful tools like reverse lookups etc.
xss.sk does! DomainTools didn't properly escape my
xss.sk, it displays an alert and embeds this South Park video. There's some
Accept header parsing involved so you won't see the code when you visit the site directly in your browser.
HTTPOnly cookie flags or Content Security Policy) are in place.
The listing looks like this after the fix:
If you're wondering about the slash between
src, that's because some sites have replaced the space with
when displaying the header, and browsers didn't recognize the tag. Slash prevents that, but it still allows browsers to recognize the
script tag and the
src attribute correctly.
Here's a really short timeline but I just have to include it because the intervals are awesomely short (times are in CET, UTC +1):
16:20I ping Scott, provide the link to the vulnerable Whois listing, ask him to let DomainTools know
16:27Scott sends an email to DomainTools
16:34Scott gets a response from DomainTools, they are escalating
16:45Scott gets an email from DomainTools CTO with a confirmation they're patching
17:09Scott says it should be fixed
The fix was probably quite simple but still, in less than an hour from my initial report to Scott, and 42 minutes from Scott's email to DomainTools, left me speechless. That was a nice experience, thanks DomainTools for a quick response and thanks Scott for being a messenger.
Now ask yourself, how long is your response time to issues like this one, hmm?