=================================================================================== NOAA.gov Cross Site Scripting / Cross Site Request Forgery / Clickjacking X-frame / Slow response time =================================================================================== TIME-LINE VULNERABILITY Multiples Advisories but Not Response Barry.Reichenbaugh@noaa.gov Bill.Zahner@noaa.gov David.P.Miller@noaa.gov john.sokich@noaa.gov Leesha.Saunders@noaa.gov Les.Adams@noaa.gov NOAA.Recovery@noaa.gov nos.web@noaa.gov OLE.ComplaintHotline@noaa.gov Paul.Taylor@noaa.gov Penaltypolicy@noaa.gov Ron.Gird@noaa.gov (...) I. VULNERABILITY ------------------------- #Title: NOAA.gov suffers from Cross Site Scripting / CSRF / Clickjacking X-frame and Slow response time Vulnerabilities #Vendor:http://www.noaa.gov/ #Author:Juan Carlos García (@secnight) #Follow me http://asap-sec.com Twitter:@secnight II. DESCRIPTION ------------------------- NOAA is an agency that enriches life through science. Our reach goes from the surface of the sun to the depths of the ocean floor as we work to keep citizens informed of the changing environment around them. >From daily weather forecasts, severe storm warnings and climate monitoring to fisheries management, coastal restoration and supporting marine commerce, NOAA’s products and services support economic vitality and affect more than one-third of America’s gross domestic product. NOAA’s dedicated scientists use cutting-edge research and high-tech instrumentation to provide citizens, planners, emergency managers and other decision makers with reliable information they need when they need it. NOAA's roots date back to 1807, when the Nation’s first scientific agency, the Survey of the Coast, was established. Since then, NOAA has evolved to meet the needs of a changing country. NOAA maintains a presence in every state and has emerged as an international leader on scientific and environmental matters. NOAA’s mission touches the lives of every American and we are proud of our role in protecting life and property and conserving and protecting natural resources. I hope you will explore NOAA and how our products and services can enrich your own life. KNOWLEDGE BASE ************** List of file extensions ----------------------- Description -------------------- File extensions can provide information on what technologies are being used on this website. List of file extensions detected: html => 392 file(s) css => 36 file(s) js => 37 file(s) php => 8 file(s) swf => 20 file(s) htm => 2 file(s) txt => 1 file(s) dwt => 4 file(s) f4v => 6 file(s) flv => 3 file(s) pptx => 1 file(s) xls => 22 file(s) xlsx => 1 file(s) xml => 8 file(s) Top 10 response times ------------------ Description ------------ The files listed bellow had the slowest response times measured during the crawling process. The average response time for this site was 121.61 ms. These files could be targetted in denial of service attacks. ------------------------------------------------------ 1. /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls, response time 4524 ms GET /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 2. /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls, response time 4181 ms GET /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 3. /video/administrator/seattle/message_seattle_20090528.swf, response time 718 ms GET /video/administrator/seattle/message_seattle_20090528.swf HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/video/administrator/seattle/index.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 4. /video/administrator/acidification/lubchenco_acidification_20100319.swf, response time 608 ms GET /video/administrator/acidification/lubchenco_acidification_20100319.swf HTTP/1.1 5. /video/administrator/northeast/message_northeast_20090407.swf, response time 593 ms 6. /video/administrator/restoration/message_restoration_20090702.swf, response time 593 ms List of client scripts --------------------- Description ---------------- These files contain Javascript code referenced from the website. / /wallpaper/scripts/jquery.min.js /wallpaper/scripts/jquery.fancybox.js /slider/source/coin-slider.min.js /explore.js /loadEvents.js /includes/exit.js /includes/jquery-1.4.2.min.js /includes/content.js /includes/jquery.zrssfeed.min.js /includes/swfobject.js /scripts/AC_RunActiveContent.js /scripts/jquery-1.6.1.js /scripts/jquery.jcountdown.js /scripts/federated-analytics.js /scripts/swissarmy.js /media/exhibits/gallery/gallery_1/gfeedfetcher.js /media/exhibits/gallery/gallery_3/gfeedfetcher.js /media/exhibits/gallery/gallery_2/gfeedfetcher.js /media/exhibits/gallery/gallery_4/gfeedfetcher.js /media/exhibits/gfeedfetcher.js /earthday/scripts/lib/raphael.js /earthday/scripts/jquery.min.js /earthday/scripts/color.jquery.js /earthday/scripts/us-map.js /earthday/scripts/bg_animation.js /earthday/scripts/jquery.slides_rotation.js /earthday/scripts/jquery.slides_stories.js /earthday/scripts/jquery.fancybox.js /earthday/scripts/jwplayer.js /earthday/scripts/jquery.slides.js /deepwaterhorizon/video/video_clips/includes/swfobject_modified.js /deepwaterhorizon/video/oceanservice/js/jquery.js /deepwaterhorizon/video/oceanservice/js/jquery.hoverintent.minified.js /deepwaterhorizon/video/oceanservice/js/jquery.bgiframe.min.js /deepwaterhorizon/video/oceanservice/js/superfish.js /deepwaterhorizon/video/oceanservice/js/jquery.galleriffic.js /deepwaterhorizon/video/oceanservice/js/jquery.history.js /deepwaterhorizon/video/oceanservice/js/jquery.opacityrollover.js /deepwaterhorizon/video/oceanservice/foresee/foresee-trigger.js /deepwaterhorizon/video/search.usa.gov/javascripts/jquery/jquery.autocomplete.min.js /deepwaterhorizon/video/search.usa.gov/javascripts/sayt.js /deepwaterhorizon/video/cetrk.com/pages/scripts/0008/1868.js /deepwaterhorizon/scripts/rssdisplayer.js /deepwaterhorizon/scripts/AC_RunActiveContent.js /deepwaterhorizon/scripts/fadeslideshow.js /heat/scripts/flowplayer-3.2.6.min.js List of files with inputs ------------------------- Description ------------- These files have at least one input (GET or POST). / - 71 inputs /earthday/includes/video.php - 1 inputs /deepwaterhorizon - 1 inputs /deepwaterhorizon/video/oceanservice/deepwaterhorizon/oceanservice.noaa.gov/cgi-bin/redirout.cgi - 1 inputs /deepwaterhorizon/index.html - 1 inputs /deepwaterhorizon/news - 1 inputs /deepwaterhorizon/news/index.html - 1 inputs /deepwaterhorizon/news/trans_index.html - 5 inputs /deepwaterhorizon/maps/traj_maps.html - 23 inputs /deepwaterhorizon/maps/dissolved_maps.html - 2 inputs /deepwaterhorizon/maps/fishclose_maps.html - 6 inputs /deepwaterhorizon/maps/nautical_charts.html - 5 inputs /deepwaterhorizon/wildlife - 2 inputs /deepwaterhorizon/wildlife/index.html - 2 inputs /exit.html - 1 inputs /redirect.php - 1 inputs List of external hosts ---------------------- Description ------------- These hosts were linked from this website. search.usa.gov forecast.weather.gov www.usa.gov www.ready.gov www.climate.gov www.weather.gov nsd.rdc.noaa.gov www.commerce.gov www.youtube.com www.usda.gov www.homelandsecurity.noaa.gov www.ncdc.noaa.gov twitter.com www.facebook.com www.instagram.com www.rss.noaa.gov www.legislative.noaa.gov www.corporateservices.noaa.gov www.nws.noaa.gov www.pmel.noaa.gov www.cio.noaa.gov www.noaanews.noaa.gov oceanservice.noaa.gov s7.addthis.com weather.gov sec.noaa.gov www.spc.noaa.gov www.ncep.noaa.gov www.hurricanes.gov www.careers.noaa.gov www.nesdis.noaa.gov www.research.noaa.gov adds.aviationweather.gov www.spaceweather.noaa.gov www.noaawatch.gov www.history.noaa.gov usasearch.gov www.volunteer.noaa.gov www.ofa.noaa.gov www.publicaffairs.noaa.gov www.pco.noaa.gov www.wfm.noaa.gov www.nauticalcharts.noaa.gov www.ppi.noaa.gov www.nmfs.noaa.gov www.omao.noaa.gov www.economics.noaa.gov www.oceanservice.noaa.gov www.osec.doc.gov ocio.os.doc.gov mobile.weather.gov m.ocean.noaa.gov www.nhc.noaa.gov tsunami.csc.noaa.gov buoybay.noaa.gov market.android.com www.opc.ncep.noaa.gov mobile.tidesandcurrents.noaa.gov www.wrh.noaa.gov itunes.apple.com www.nnvl.noaa.gov www.education.noaa.gov code.jquery.com usgeo.gov ioos.noaa.gov www.earthobservations.org www.geonetcastamericas.noaa.gov www.epa.gov www.coris.noaa.gov nerrs.noaa.gov www.ndc.noaa.gov www.nurp.noaa.gov www.oesd.noaa.gov www.ndbc.noaa.gov www.nodc.noaa.gov coralreef.noaa.gov hawaiireef.noaa.gov www.seagrant.noaa.gov www.coralreef.noaa.gov oceanexplorer.noaa.gov response.restoration.noaa.gov sanctuaries.noaa.gov tidesandcurrents.noaa.gov mpa.gov www.csc.noaa.gov nowcoast.noaa.gov www.nerrs.noaa.gov stateofthecoast.noaa.gov coastalscience.noaa.gov ngs.woc.noaa.gov maps.csc.noaa.gov coastalmanagement.noaa.gov www.coastalmanagement.noaa.gov tidesonline.noaa.gov nauticalcharts.noaa.gov glakesonline.nos.noaa.gov geodesy.noaa.gov celebrating200years.noaa.gov www.oar.noaa.gov www.lib.noaa.gov www.swpc.noaa.gov www.nwr.noaa.gov www.esrl.noaa.gov www.fakr.noaa.gov swr.nmfs.noaa.gov sero.nmfs.noaa.gov www.fpir.noaa.gov www.cpc.ncep.noaa.gov www.oceanexplorer.noaa.gov www.nero.noaa.gov www.cpo.noaa.gov www.ngdc.noaa.gov www.gfdl.noaa.gov www.aoml.noaa.gov www.climate.noaa.gov www.drought.gov drought.gov www.st.nmfs.noaa.gov cpo.noaa.gov oar.noaa.gov uas.noaa.gov www.arl.noaa.gov www.nrc.noaa.gov explore.noaa.gov www.nssl.noaa.gov www.glerl.noaa.gov lci.hq.oar.noaa.gov research.noaa.gov www.oceanacidification.noaa.gov www.flickr.com aquaculture.noaa.gov pnt.gov www.osei.noaa.gov www.goes.noaa.gov www.sec.noaa.gov coastwatch.noaa.gov www.sarsat.noaa.gov www.oso.noaa.gov www.ssd.noaa.gov www.licensing.noaa.gov noaasis.noaa.gov coralreefwatch.noaa.gov www.osdpd.noaa.gov www.podcast.noaa.gov www.justice.gov alaskafisheries.noaa.gov www.fisheries.noaa.gov www.alaskafisheries.noaa.gov researchmatters.noaa.gov www.ofcm.gov www.gc.noaa.gov www.dco.noaa.gov www.ago.noaa.gov www.international.noaa.gov techpartnerships.noaa.gov 1.usa.gov youtu.be www.wildlifeadaptationstrategy.gov oceantoday.noaa.gov monitor.noaa.gov www.habitat.noaa.gov www.climatewatch.noaa.gov nrc.oarhq.noaa.gov noaaoceanscience.wordpress.com addthis.com www.foia.gov www.twitter.com www.google.com www.addthis.com support.google.com info.yahoo.com www.whitehouse.gov www.usna.usda.gov instagram.com www.aviationweather.gov ptwc.weather.gov cell.weather.gov nrc.noaa.gov americasclimatechoices.org www.gpo.gov globalchange.gov www.federalregister.gov www.napawash.org beta.w1.noaanews.noaa.gov www.gulfspillrestoration.noaa.gov www.restorethegulf.gov www.eeweek.org nctr.pmel.noaa.gov nnvl.noaa.gov www.arctic.noaa.gov preserveamerica.noaa.gov ocean.si.edu www.nasa.gov bit.ly go.usa.gov storms.ngs.noaa.gov droughtmonitor.unl.edu marinedebris.noaa.gov estuaries.noaa.gov www.nefsc.noaa.gov www.fishwatch.gov swfsc.noaa.gov www.norman.noaa.gov missionlog.noaa.gov www.bt.cdc.gov www.osha.gov www.pacsci.org www.sciencedirect.com www.spaceneedle.com pmel.noaa.gov books.nap.edu www.ostp.gov www.sab.noaa.gov www.nap.edu corporate.cq.com www.pnas.org frwebgate.access.gpo.gov commerce.senate.gov www.oig.doc.gov projects.ecr.gov www.iyor.org www.iyorcreative.com stellwagen.noaa.gov safeboating.erh.noaa.gov usinfo.state.gov www.ngs.noaa.gov www.tidesandcurrents.noaa.gov www.cop.noaa.gov www.whoi.edu images.google.com www.anstaskforce.gov www.seagrant.umn.edu www.nps.gov www.buoybay.org chesapeakebay.noaa.gov www.cdc.noaa.gov floridakeys.noaa.gov sarsat.noaa.gov www.beaconregistration.noaa.gov. www.cmts.gov www.salmonsafe.org www.fishfriendlyfarming.org www.moc.noaa.gov www.ccfhr.noaa.gov www.sanctuaries.noaa.gov www.FishWatch.noaa.gov www.aquaculture.noaa.gov cecf1.unh.edu www.tsunami.noaa.gov www.ripcurrents.noaa.gov www.lightningsafety.noaa.gov www.mpa.gov co-ops.nos.noaa.gov tidesonline.nos.noaa.gov www.erh.noaa.gov www.co-ops.nos.noaa.gov www.argo.ucsd.edu www.gcrmn.org www.gefcoral.org coralreefwatch-satops.noaa.gov secondlife.com www.scilands.org www.natice.noaa.gov cimas.rsmas.miami.edu www.stormready.noaa.gov www.chbr.noaa.gov tadd.weather.gov www.bestpub.com www.ntis.gov ccma.nos.noaa.gov tsunami.gov www.prh.noaa.gov www.tsunamiready.noaa.gov wcatwc.arh.noaa.gov nthmp.tsunami.gov www.sdr.gov www.extension.washington.edu www.bu.edu www.smast.umassd.edu www.tuna-org.org www.alfafish.org www.alaskansown.com www.atamerica.or.id statedept.connectsolutions.com www.uas.alaska.edu www.americorps.gov www.adfg.alaska.gov www.afsc.noaa.gov www.britannica.com rtc.sfsu.edu www.sitkasoundsciencecenter.org www.serc.si.edu www.invasivespeciesinfo.gov sites.google.com sea-mdi.engr.uga.edu www.marinedebris.engr.uga.edu esrl.noaa.gov cires.colorado.edu onlinelibrary.wiley.com carteretcatch.org www.walking-fish.org www.beaconregistration.noaa.gov ajax.googleapis.com www.nswp.gov www.metoffice.gov.uk www.safeboatingcouncil.org www.esa.doc.gov www.epp.noaa.gov fosterscholars.noaa.gov www.nifc.gov www.apple.com nsidc.org www.aoc.noaa.gov www.nws.gov hmt.noaa.gov rsbl.royalsocietypublishing.org www.intranet.noaa.gov ozone.unep.org www.geosummit.org www.jpl.nasa.gov water.weather.gov www.srh.noaa.gov www.uscg.mil pafc.arh.noaa.gov pafg.arh.noaa.gov paom.arh.noaa.gov cgvi.uscg.mil www.jpss.noaa.gov earthobservatory.nasa.gov www.ctia.org www.amberalert.gov www.fema.gov transition.fcc.gov www.ras.org.uk www.solarstorms.org helios.swpc.noaa.gov articles.adsabs.harvard.edu www.crh.noaa.gov www.noaacorps.noaa.gov www.portno.com www.bts.gov www.deepwaterhorizonresponse.com www.nwfsc.noaa.gov www.seafood.nmfs.noaa.gov www.gsa.gov seagrant.oregonstate.edu extension.oregonstate.edu geo.oregonstate.edu oregonstate.edu vaac.arh.noaa.gov www.adobe.com www.volcano.si.edu rapidfire.sci.gsfc.nasa.gov wisdom.noaa.gov www.nmsfocean.org www.thankyouocean.org www.coastalamerica.gov www.quiksilverfoundation.org www.ultimatewavetahiti.com www.kellyslaterfoundation.org www.eol.ucar.edu flowergarden.noaa.gov www.stopextinction.org www.sefsc.noaa.gov deepwaterhorizon.noaa.gov www.uscti.org www.ncddc.noaa.gov shiptracker.noaa.gov aviationweather.gov www.fly.faa.gov www.weather.gov. nationalatlas.gov maps.nittec.org www.sio.ucsd.edu www.exploratorium.edu icestories.exploratorium.edu lwf.ncdc.noaa.gov citizenshipblog.fedex.designcdt.com www.sciencemag.org www.wdcs-na.org www.dolphinsmart.org www.dolphinecology.org www.floridakeys.noaa.gov teacheratsea.noaa.gov taterka.blogspot.com gpsmet.noaa.gov games.noaa.gov www8.nos.noaa.gov www.unep.org ioos.gov techserv.gso.uri.edu ocgweb.marine.usf.edu noaahrd.wordpress.com www.whaletimes.org www.ccamlr.org www.auduboninstitute.org www.vetmed.ufl.edu visitor.r20.constantcontact.com www.dolphinsafe.gov farallones.noaa.gov channelislands.noaa.gov www.explore.noaa.gov www.ua.nws.noaa.gov coastalsmartgrowth.noaa.gov secure.nssl.noaa.gov www.nsf.gov www.savesfbay.org el.erdc.usace.army.mil thomas.loc.gov www.oceancommission.gov www.darrp.noaa.gov www.cbrestoration.noaa.gov www.usgs.gov pubs.usgs.gov www.srh.weather.gov era.noaa.gov ciceet.unh.edu www.nova.edu jama.ama-assn.org www.hsph.harvard.edu www.usla.org www.nwrfc.noaa.gov www.ucar.edu www.ncar.ucar.edu www.floodsmart.gov www.airquality.noaa.gov webstunning.com visitor.constantcontact.com cioert.org www.hboi.fau.edu www.geoplatform.gov ecowatch.ncddc.noaa.gov cwcgom.aoml.noaa.gov ready.arl.noaa.gov www.oceanleadership.org spot.nws.noaa.gov uwf.edu tulane.edu www.ufl.edu www.unh.edu www.ucsb.edu www.tamu.edu www.unols.org www.auburn.edu www.mbari.org www.msstate.edu www.ceoe.udel.edu www.ecu.edu www.marine.usf.edu www.marine.usm.edu www.rsmas.miami.edu www.esl.lsu.edu www.apl.washington.edu www.abdn.ac.uk www.response.restoration.noaa.gov rucool.marine.rutgers.edu gulfseagrant.tamu.edu www.crrc.unh.edu www.hpc.ncep.noaa.gov FBO.gov grants.gov www.recovery.gov www.grants.gov www.fbo.gov recovery.commerce.gov img.youtube.com www.ioos.noaa.gov oceanacidification.noaa.gov www.star.nesdis.noaa.gov www.droughtmonitor.unl.edu www.fda.gov beta2.w1.noaa.gov archive.orr.noaa.gov usa.gov csc.noaa.gov noaawatch.gov www.rdc.noaa.gov nosinternational.noaa.gov inside.nos.noaa.gov www.incidentnews.gov nosdataexplorer.noaa.gov searchstats.usa.gov List of email addresses ------------------------ Description ------------------ List of all email addresses found on this host. Barry.Reichenbaugh@noaa.gov Bill.Zahner@noaa.gov David.P.Miller@noaa.gov john.sokich@noaa.gov Leesha.Saunders@noaa.gov Les.Adams@noaa.gov NOAA.Recovery@noaa.gov nos.web@noaa.gov OLE.ComplaintHotline@noaa.gov Paul.Taylor@noaa.gov Penaltypolicy@noaa.gov Ron.Gird@noaa.gov webmaster@noaa.gov III. PROOF OF CONCEPT ------------------------- Cross site scripting --------------------- /earthday/includes/video.php img vid jQuery Cross Site Scripting ---------------------------- /deepwaterhorizon/video/oceanservice/js/jquery.js /includes/jquery-1.4.2.min.js /scripts/jquery-1.6.1.js HTML form without CSRF protection ---------------------------------- /deepwaterhorizon /deepwaterhorizon/maps/dissolved_maps.html /deepwaterhorizon/maps/fishclose_maps.html /deepwaterhorizon/maps/nautical_charts.html /deepwaterhorizon/maps/traj_maps.html /deepwaterhorizon/news/trans_index.html /deepwaterhorizon/wildlife/index.html Clickjacking: X-Frame-Options header missing -------------------------------------------- Web Server OPTIONS method is enabled --------------------------- Web Server Possible sensitive files ------------------------ /test.html Cross site scripting ********************* Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Attack details --------------- URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_903287"():;997910 The input is reflected inside