Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
Unable to reproduce as reported
- Engagement National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
- Disclosed date 5 months ago
- Priority P5 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by dkcyberz
This summary outlines the discovery and mitigation of DOM-Based Cross-Site Scripting (XSS) vulnerabilities within the NASA web application.
DOM-Based Cross-Site Scripting
DOM-Based XSS is a type of web security vulnerability that exploits the Document Object Model (DOM) of a web page to inject and execute malicious JavaScript code in the victim's browser. Unlike other XSS vulnerabilities, the malicious payload isn't stored on the server, but rather manipulated on the client-side (browser) through JavaScript.
Business Impact
Stealing cookies and session tokens: Attackers can steal the victim's login credentials, hijack their sessions, and access their accounts.
Modifying web pages:Attackers can alter the content of the page to display misleading information or redirect the user to malicious sites.
Launching further attacks: Attackers can use the stolen information or compromised session to launch further attacks like phishing or malware distribution.
Steps to Reproduce
Open the URL in your browser (https://www.globe.gov/globe-data/science-honor-roll/honor-roll-recognition)
Click on 'Open Advanced Filter' option.
Enter the payload in the 'School' field: <script>alert('XSS')</script>.
You will now receive a pop-up alert.
Activity
- Martin Customer published the disclosure report
- dkcyberz requested disclosure
- dkcyberz cancelled the disclosure request
- dkcyberz requested disclosure
- trim_bugcrowd sent a message
- trim_bugcrowd changed the state to Informational
- trim_bugcrowd updated VRT to Cross-Site Scripting (XSS) > Reflected > Self
- dkcyberz created the submission
