Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability. Vulnerable URLs: 1. https://nodis3.gsfc.nasa.gov/search_ft.cfm 2. https://nodis3.gsfc.nasa.gov/suggestions_action.cfm Proof-of-Concept (PoC) Video: https://youtu.be/O-KtSUUqnzM How to Reproduce? Step 1: Visit https://nodis3.gsfc.nasa.gov/search_ft.cfm Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0". Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload: <svg/onload=alert(document.domain)> You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting https://nodis3.gsfc.nasa.gov/search_ft.cfm and then forwarding the request. I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report. Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed. Author Details: Name: Binit Ghimire Profile: https://packetstormsecurity.com/user/binit/ Webpage: https://binitghimire.com.np Twitter: @WHOISbinit (https://twitter.com/WHOISbinit) Facebook Page: https://www.facebook.com/TheBinitGhimure Facebook Profile: https://www.facebook.com/InternetHeroBINIT GitHub: https://github.com/TheBinitGhimure LinkedIn: https://www.linkedin.com/in/thebinitghimire/