Namecheap XSS Vulnerability via SSL Certificate


I discovered interesting XSS attack vector on NameCheap firm. As you know, you can sign your certificates via NameCheap.


Lets buy new one SSL certificate.


Following part is important side of my finding. Because we’ll put our payload inside of CSR file.

namecheap csr


Next step is generate CSR file from our SSL key. Please pay attention to next picture.  You’ll see our XSS payloads at inside of the certificate file’s variables like Organization name, Locality Name and so on.

namecheap ssl

We’ll put content of that file into the NameCheap web form in order to sign it by authority.

namecheap sign it

NameCheap will parse that content and grab some field from our  CSR  file which contains XSS payloads in some fields.

namecheap xss

I don’t know how can we use that vulnerability as an attack vector. But we usually hide payload at inside of POST, GET, COOKIE or even USER-AGENT but I’ve never experienced something like that before.