Tuesday, March 2, 2010

XSS and the NASA (NA_XSS_A?)

I was on http://winds.jpl.nasa.gov/imagesAnim/quikscat.cfm when I found this:


OMG! NASA? Yep... Even when you assume security is a must @ sites like NASA, there are (some) insecurities! As you can see Image was not sanitized (as it should have been! :)

I did some more tests on another NASA site (http://sbir.gsfc.nasa.gov):

We can list some directories:

And we can see another XSS vulnerability:

ok, there is no more fun with NASA.

Why I'm posting this? I'm sure people at NASA already know it... Now I will googe a bit b4 posting. Yep! I've found http://hackingethics.wordpress.com/2010/02/15/xss-in-nasa-and-sql-injection-in-pentagon/ (and other links)

well, It seems I can post this... Someone wants to look for vulnerabilities at Pentagon? Spare time? Where are You when I need You?