Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire

As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability.

Vulnerable URLs:
1. https://nodis3.gsfc.nasa.gov/search_ft.cfm
2. https://nodis3.gsfc.nasa.gov/suggestions_action.cfm

Proof-of-Concept (PoC) Video: https://youtu.be/O-KtSUUqnzM

How to Reproduce?
Step 1: Visit https://nodis3.gsfc.nasa.gov/search_ft.cfm
Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0".

Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload:
<svg/onload=alert(document.domain)>

You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting https://nodis3.gsfc.nasa.gov/search_ft.cfm and then forwarding the request.

I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report.

Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed.

Author Details:
Name: Binit Ghimire
Profile: https://packetstormsecurity.com/user/binit/
Webpage: https://binitghimire.com.np
Twitter: @WHOISbinit (https://twitter.com/WHOISbinit)
Facebook Page: https://www.facebook.com/TheBinitGhimure
Facebook Profile: https://www.facebook.com/InternetHeroBINIT
GitHub: https://github.com/TheBinitGhimure
LinkedIn: https://www.linkedin.com/in/thebinitghimire/