I was on http://winds.jpl.nasa.gov/imagesAnim/quikscat.cfm when I found this:
http://winds.jpl.nasa.gov/imagesAnim/images.cfm?pageName=ImagesAnim&subPageName=QuikSCAT&Image=QS_S1B28865%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E
OMG! NASA? Yep... Even when you assume security is a must @ sites like NASA, there are (some) insecurities! As you can see Image was not sanitized (as it should have been! :)
I did some more tests on another NASA site (http://sbir.gsfc.nasa.gov):
We can list some directories:
http://sbir.gsfc.nasa.gov/sbirweb/search/
And we can see another XSS vulnerability:
http://sbir.gsfc.nasa.gov/sbirweb/search/searchResults.jsp?st=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E
ok, there is no more fun with NASA.
Why I'm posting this? I'm sure people at NASA already know it... Now I will googe a bit b4 posting. Yep! I've found http://hackingethics.wordpress.com/2010/02/15/xss-in-nasa-and-sql-injection-in-pentagon/ (and other links)
well, It seems I can post this... Someone wants to look for vulnerabilities at Pentagon? Spare time? Where are You when I need You?
Tuesday, March 2, 2010
Subscribe to:
Posts (Atom)