Summary by Uma_Maheshwar_Ayyala
DOM-Based Reflected Cross-Site Scripting (XSS) Vulnerability on NASA Subdomain
During routine reconnaissance and testing, I identified a DOM-based reflected XSS vulnerability on NASA’s SEWP Provider Lookup Tool. The application improperly reflected user input into the DOM without adequate sanitization or output encoding. This allowed execution of arbitrary JavaScript in the browser context of the NASA domain.
Successful exploitation could enable session hijacking, data exfiltration, or UI redress attacks. Although classified as an informational issue, this finding illustrates how even lower-risk vulnerabilities can pose reputational or user trust risks when discovered on publicly accessible government web applications.