Share
Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire  
  
As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability.  
  
Vulnerable URLs:  
1. https://nodis3.gsfc.nasa.gov/search_ft.cfm  
2. https://nodis3.gsfc.nasa.gov/suggestions_action.cfm  
  
Proof-of-Concept (PoC) Video: https://youtu.be/O-KtSUUqnzM  
  
How to Reproduce?  
Step 1: Visit https://nodis3.gsfc.nasa.gov/search_ft.cfm  
Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0".  
  
Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload:  
<svg/onload=alert(document.domain)>  
  
You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting https://nodis3.gsfc.nasa.gov/search_ft.cfm and then forwarding the request.  
  
I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report.  
  
Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed.  
  
Author Details:  
Name: Binit Ghimire  
Profile: https://packetstormsecurity.com/user/binit/  
Webpage: https://binitghimire.com.np  
Twitter: @WHOISbinit (https://twitter.com/WHOISbinit)  
Facebook Page: https://www.facebook.com/TheBinitGhimure  
Facebook Profile: https://www.facebook.com/InternetHeroBINIT  
GitHub: https://github.com/TheBinitGhimure  
LinkedIn: https://www.linkedin.com/in/thebinitghimire/