NOAA.gov XSS / CSRF / Clickjacking X-frame / DDOS (Slow response time)
===================================================================
TIME-LINE VULNERABILITY
Multiples Advisories but Not Response
<webmaster@noaa.gov>
Barry.Reichenbaugh@noaa.gov
Bill.Zahner@noaa.gov
David.P.Miller@noaa.gov
john.sokich@noaa.gov
Leesha.Saunders@noaa.gov
Les.Adams@noaa.gov
NOAA.Recovery@noaa.gov
nos.web@noaa.gov
OLE.ComplaintHotline@noaa.gov
Paul.Taylor@noaa.gov
Penaltypolicy@noaa.gov
Ron.Gird@noaa.gov
(...)
I. VULNERABILITY
-------------------------
#Title: NOAA.gov suffers from Cross Site Scripting / CSRF / Clickjacking X-frame and Slow response time Vulnerabilities
#Vendor:http://www.noaa.gov/
#Author:Juan Carlos García (@secnight)
#Follow US @habemuscurso
@secnight
II. DESCRIPTION
-------------------------
NOAA is an agency that enriches life through science. Our reach goes from the surface of the sun to the
depths of the ocean floor as we work to keep citizens informed of the changing environment around them.
>From daily weather forecasts, severe storm warnings and climate monitoring to fisheries management,
coastal restoration and supporting marine commerce, NOAA’s products and services support economic vitality
and affect more than one-third of America’s gross domestic product. NOAA’s dedicated scientists use cutting-edge
research and high-tech instrumentation to provide citizens, planners, emergency managers and other decision makers
with reliable information they need when they need it.
NOAA's roots date back to 1807, when the Nation’s first scientific agency, the Survey of the Coast, was established.
Since then, NOAA has evolved to meet the needs of a changing country. NOAA maintains a presence in every state and has
emerged as an international leader on scientific and environmental matters.
NOAA’s mission touches the lives of every American and we are proud of our role in protecting life
and property and conserving and protecting natural resources. I hope you will explore NOAA and how our
products and services can enrich your own life.
KNOWLEDGE BASE
**************
List of file extensions
-----------------------
Description
--------------------
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:
html => 392 file(s)
css => 36 file(s)
js => 37 file(s)
php => 8 file(s)
swf => 20 file(s)
htm => 2 file(s)
txt => 1 file(s)
dwt => 4 file(s)
f4v => 6 file(s)
flv => 3 file(s)
pptx => 1 file(s)
xls => 22 file(s)
xlsx => 1 file(s)
xml => 8 file(s)
Top 10 response times
------------------
Description
------------
The files listed bellow had the slowest response times measured during the crawling process.
The average response time for this site was 121.61 ms.
These files could be targetted in denial of service attacks.
------------------------------------------------------
1. /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls, response time 4524 ms
GET /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls HTTP/1.1
Pragma: no-cache
Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: www.noaa.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
2. /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls, response time 4181 ms
GET /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls HTTP/1.1
Pragma: no-cache
Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: www.noaa.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
3. /video/administrator/seattle/message_seattle_20090528.swf, response time 718 ms
GET /video/administrator/seattle/message_seattle_20090528.swf HTTP/1.1
Pragma: no-cache
Referer: http://www.noaa.gov/video/administrator/seattle/index.html
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: www.noaa.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
4. /video/administrator/acidification/lubchenco_acidification_20100319.swf, response time 608 ms
GET /video/administrator/acidification/lubchenco_acidification_20100319.swf HTTP/1.1
5. /video/administrator/northeast/message_northeast_20090407.swf, response time 593 ms
6. /video/administrator/restoration/message_restoration_20090702.swf, response time 593 ms
List of client scripts
---------------------
Description
----------------
These files contain Javascript code referenced from the website.
/
/wallpaper/scripts/jquery.min.js
/wallpaper/scripts/jquery.fancybox.js
/slider/source/coin-slider.min.js
/explore.js
/loadEvents.js
/includes/exit.js
/includes/jquery-1.4.2.min.js
/includes/content.js
/includes/jquery.zrssfeed.min.js
/includes/swfobject.js
/scripts/AC_RunActiveContent.js
/scripts/jquery-1.6.1.js
/scripts/jquery.jcountdown.js
/scripts/federated-analytics.js
/scripts/swissarmy.js
/media/exhibits/gallery/gallery_1/gfeedfetcher.js
/media/exhibits/gallery/gallery_3/gfeedfetcher.js
/media/exhibits/gallery/gallery_2/gfeedfetcher.js
/media/exhibits/gallery/gallery_4/gfeedfetcher.js
/media/exhibits/gfeedfetcher.js
/earthday/scripts/lib/raphael.js
/earthday/scripts/jquery.min.js
/earthday/scripts/color.jquery.js
/earthday/scripts/us-map.js
/earthday/scripts/bg_animation.js
/earthday/scripts/jquery.slides_rotation.js
/earthday/scripts/jquery.slides_stories.js
/earthday/scripts/jquery.fancybox.js
/earthday/scripts/jwplayer.js
/earthday/scripts/jquery.slides.js
/deepwaterhorizon/video/video_clips/includes/swfobject_modified.js
/deepwaterhorizon/video/oceanservice/js/jquery.js
/deepwaterhorizon/video/oceanservice/js/jquery.hoverintent.minified.js
/deepwaterhorizon/video/oceanservice/js/jquery.bgiframe.min.js
/deepwaterhorizon/video/oceanservice/js/superfish.js
/deepwaterhorizon/video/oceanservice/js/jquery.galleriffic.js
/deepwaterhorizon/video/oceanservice/js/jquery.history.js
/deepwaterhorizon/video/oceanservice/js/jquery.opacityrollover.js
/deepwaterhorizon/video/oceanservice/foresee/foresee-trigger.js
/deepwaterhorizon/video/search.usa.gov/javascripts/jquery/jquery.autocomplete.min.js
/deepwaterhorizon/video/search.usa.gov/javascripts/sayt.js
/deepwaterhorizon/video/cetrk.com/pages/scripts/0008/1868.js
/deepwaterhorizon/scripts/rssdisplayer.js
/deepwaterhorizon/scripts/AC_RunActiveContent.js
/deepwaterhorizon/scripts/fadeslideshow.js
/heat/scripts/flowplayer-3.2.6.min.js
List of files with inputs
-------------------------
Description
-------------
These files have at least one input (GET or POST).
/ - 71 inputs
/earthday/includes/video.php - 1 inputs
/deepwaterhorizon - 1 inputs
/deepwaterhorizon/video/oceanservice/deepwaterhorizon/oceanservice.noaa.gov/cgi-bin/redirout.cgi - 1 inputs
/deepwaterhorizon/index.html - 1 inputs
/deepwaterhorizon/news - 1 inputs
/deepwaterhorizon/news/index.html - 1 inputs
/deepwaterhorizon/news/trans_index.html - 5 inputs
/deepwaterhorizon/maps/traj_maps.html - 23 inputs
/deepwaterhorizon/maps/dissolved_maps.html - 2 inputs
/deepwaterhorizon/maps/fishclose_maps.html - 6 inputs
/deepwaterhorizon/maps/nautical_charts.html - 5 inputs
/deepwaterhorizon/wildlife - 2 inputs
/deepwaterhorizon/wildlife/index.html - 2 inputs
/exit.html - 1 inputs
/redirect.php - 1 inputs
List of external hosts
----------------------
Description
-------------
These hosts were linked from this website.
search.usa.gov
forecast.weather.gov
www.usa.gov
www.ready.gov
www.climate.gov
www.weather.gov
nsd.rdc.noaa.gov
www.commerce.gov
www.youtube.com
www.usda.gov
www.homelandsecurity.noaa.gov
www.ncdc.noaa.gov
twitter.com
www.facebook.com
www.instagram.com
www.rss.noaa.gov
www.legislative.noaa.gov
www.corporateservices.noaa.gov
www.nws.noaa.gov
www.pmel.noaa.gov
www.cio.noaa.gov
www.noaanews.noaa.gov
oceanservice.noaa.gov
s7.addthis.com
weather.gov
sec.noaa.gov
www.spc.noaa.gov
www.ncep.noaa.gov
www.hurricanes.gov
www.careers.noaa.gov
www.nesdis.noaa.gov
www.research.noaa.gov
adds.aviationweather.gov
www.spaceweather.noaa.gov
www.noaawatch.gov
www.history.noaa.gov
usasearch.gov
www.volunteer.noaa.gov
www.ofa.noaa.gov
www.publicaffairs.noaa.gov
www.pco.noaa.gov
www.wfm.noaa.gov
www.nauticalcharts.noaa.gov
www.ppi.noaa.gov
www.nmfs.noaa.gov
www.omao.noaa.gov
www.economics.noaa.gov
www.oceanservice.noaa.gov
www.osec.doc.gov
ocio.os.doc.gov
mobile.weather.gov
m.ocean.noaa.gov
www.nhc.noaa.gov
tsunami.csc.noaa.gov
buoybay.noaa.gov
market.android.com
www.opc.ncep.noaa.gov
mobile.tidesandcurrents.noaa.gov
www.wrh.noaa.gov
itunes.apple.com
www.nnvl.noaa.gov
www.education.noaa.gov
code.jquery.com
usgeo.gov
ioos.noaa.gov
www.earthobservations.org
www.geonetcastamericas.noaa.gov
www.epa.gov
www.coris.noaa.gov
nerrs.noaa.gov
www.ndc.noaa.gov
www.nurp.noaa.gov
www.oesd.noaa.gov
www.ndbc.noaa.gov
www.nodc.noaa.gov
coralreef.noaa.gov
hawaiireef.noaa.gov
www.seagrant.noaa.gov
www.coralreef.noaa.gov
oceanexplorer.noaa.gov
response.restoration.noaa.gov
sanctuaries.noaa.gov
tidesandcurrents.noaa.gov
mpa.gov
www.csc.noaa.gov
nowcoast.noaa.gov
www.nerrs.noaa.gov
stateofthecoast.noaa.gov
coastalscience.noaa.gov
ngs.woc.noaa.gov
maps.csc.noaa.gov
coastalmanagement.noaa.gov
www.coastalmanagement.noaa.gov
tidesonline.noaa.gov
nauticalcharts.noaa.gov
glakesonline.nos.noaa.gov
geodesy.noaa.gov
celebrating200years.noaa.gov
www.oar.noaa.gov
www.lib.noaa.gov
www.swpc.noaa.gov
www.nwr.noaa.gov
www.esrl.noaa.gov
www.fakr.noaa.gov
swr.nmfs.noaa.gov
sero.nmfs.noaa.gov
www.fpir.noaa.gov
www.cpc.ncep.noaa.gov
www.oceanexplorer.noaa.gov
www.nero.noaa.gov
www.cpo.noaa.gov
www.ngdc.noaa.gov
www.gfdl.noaa.gov
www.aoml.noaa.gov
www.climate.noaa.gov
www.drought.gov
drought.gov
www.st.nmfs.noaa.gov
cpo.noaa.gov
oar.noaa.gov
uas.noaa.gov
www.arl.noaa.gov
www.nrc.noaa.gov
explore.noaa.gov
www.nssl.noaa.gov
www.glerl.noaa.gov
lci.hq.oar.noaa.gov
research.noaa.gov
www.oceanacidification.noaa.gov
www.flickr.com
aquaculture.noaa.gov
pnt.gov
www.osei.noaa.gov
www.goes.noaa.gov
www.sec.noaa.gov
coastwatch.noaa.gov
www.sarsat.noaa.gov
www.oso.noaa.gov
www.ssd.noaa.gov
www.licensing.noaa.gov
noaasis.noaa.gov
coralreefwatch.noaa.gov
www.osdpd.noaa.gov
www.podcast.noaa.gov
www.justice.gov
alaskafisheries.noaa.gov
www.fisheries.noaa.gov
www.alaskafisheries.noaa.gov
researchmatters.noaa.gov
www.ofcm.gov
www.gc.noaa.gov
www.dco.noaa.gov
www.ago.noaa.gov
www.international.noaa.gov
techpartnerships.noaa.gov
1.usa.gov
youtu.be
www.wildlifeadaptationstrategy.gov
oceantoday.noaa.gov
monitor.noaa.gov
www.habitat.noaa.gov
www.climatewatch.noaa.gov
nrc.oarhq.noaa.gov
noaaoceanscience.wordpress.com
addthis.com
www.foia.gov
www.twitter.com
www.google.com
www.addthis.com
support.google.com
info.yahoo.com
www.whitehouse.gov
www.usna.usda.gov
instagram.com
www.aviationweather.gov
ptwc.weather.gov
cell.weather.gov
nrc.noaa.gov
americasclimatechoices.org
www.gpo.gov
globalchange.gov
www.federalregister.gov
www.napawash.org
beta.w1.noaanews.noaa.gov
www.gulfspillrestoration.noaa.gov
www.restorethegulf.gov
www.eeweek.org
nctr.pmel.noaa.gov
nnvl.noaa.gov
www.arctic.noaa.gov
preserveamerica.noaa.gov
ocean.si.edu
www.nasa.gov
bit.ly
go.usa.gov
storms.ngs.noaa.gov
droughtmonitor.unl.edu
marinedebris.noaa.gov
estuaries.noaa.gov
www.nefsc.noaa.gov
www.fishwatch.gov
swfsc.noaa.gov
www.norman.noaa.gov
missionlog.noaa.gov
www.bt.cdc.gov
www.osha.gov
www.pacsci.org
www.sciencedirect.com
www.spaceneedle.com
pmel.noaa.gov
books.nap.edu
www.ostp.gov
www.sab.noaa.gov
www.nap.edu
corporate.cq.com
www.pnas.org
frwebgate.access.gpo.gov
commerce.senate.gov
www.oig.doc.gov
projects.ecr.gov
www.iyor.org
www.iyorcreative.com
stellwagen.noaa.gov
safeboating.erh.noaa.gov
usinfo.state.gov
www.ngs.noaa.gov
www.tidesandcurrents.noaa.gov
www.cop.noaa.gov
www.whoi.edu
images.google.com
www.anstaskforce.gov
www.seagrant.umn.edu
www.nps.gov
www.buoybay.org
chesapeakebay.noaa.gov
www.cdc.noaa.gov
floridakeys.noaa.gov
sarsat.noaa.gov
www.beaconregistration.noaa.gov.
www.cmts.gov
www.salmonsafe.org
www.fishfriendlyfarming.org
www.moc.noaa.gov
www.ccfhr.noaa.gov
www.sanctuaries.noaa.gov
www.FishWatch.noaa.gov
www.aquaculture.noaa.gov
cecf1.unh.edu
www.tsunami.noaa.gov
www.ripcurrents.noaa.gov
www.lightningsafety.noaa.gov
www.mpa.gov
co-ops.nos.noaa.gov
tidesonline.nos.noaa.gov
www.erh.noaa.gov
www.co-ops.nos.noaa.gov
www.argo.ucsd.edu
www.gcrmn.org
www.gefcoral.org
coralreefwatch-satops.noaa.gov
secondlife.com
www.scilands.org
www.natice.noaa.gov
cimas.rsmas.miami.edu
www.stormready.noaa.gov
www.chbr.noaa.gov
tadd.weather.gov
www.bestpub.com
www.ntis.gov
ccma.nos.noaa.gov
tsunami.gov
www.prh.noaa.gov
www.tsunamiready.noaa.gov
wcatwc.arh.noaa.gov
nthmp.tsunami.gov
www.sdr.gov
www.extension.washington.edu
www.bu.edu
www.smast.umassd.edu
www.tuna-org.org
www.alfafish.org
www.alaskansown.com
www.atamerica.or.id
statedept.connectsolutions.com
www.uas.alaska.edu
www.americorps.gov
www.adfg.alaska.gov
www.afsc.noaa.gov
www.britannica.com
rtc.sfsu.edu
www.sitkasoundsciencecenter.org
www.serc.si.edu
www.invasivespeciesinfo.gov
sites.google.com
sea-mdi.engr.uga.edu
www.marinedebris.engr.uga.edu
esrl.noaa.gov
cires.colorado.edu
onlinelibrary.wiley.com
carteretcatch.org
www.walking-fish.org
www.beaconregistration.noaa.gov
ajax.googleapis.com
www.nswp.gov
www.metoffice.gov.uk
www.safeboatingcouncil.org
www.esa.doc.gov
www.epp.noaa.gov
fosterscholars.noaa.gov
www.nifc.gov
www.apple.com
nsidc.org
www.aoc.noaa.gov
www.nws.gov
hmt.noaa.gov
rsbl.royalsocietypublishing.org
www.intranet.noaa.gov
ozone.unep.org
www.geosummit.org
www.jpl.nasa.gov
water.weather.gov
www.srh.noaa.gov
www.uscg.mil
pafc.arh.noaa.gov
pafg.arh.noaa.gov
paom.arh.noaa.gov
cgvi.uscg.mil
www.jpss.noaa.gov
earthobservatory.nasa.gov
www.ctia.org
www.amberalert.gov
www.fema.gov
transition.fcc.gov
www.ras.org.uk
www.solarstorms.org
helios.swpc.noaa.gov
articles.adsabs.harvard.edu
www.crh.noaa.gov
www.noaacorps.noaa.gov
www.portno.com
www.bts.gov
www.deepwaterhorizonresponse.com
www.nwfsc.noaa.gov
www.seafood.nmfs.noaa.gov
www.gsa.gov
seagrant.oregonstate.edu
extension.oregonstate.edu
geo.oregonstate.edu
oregonstate.edu
vaac.arh.noaa.gov
www.adobe.com
www.volcano.si.edu
rapidfire.sci.gsfc.nasa.gov
wisdom.noaa.gov
www.nmsfocean.org
www.thankyouocean.org
www.coastalamerica.gov
www.quiksilverfoundation.org
www.ultimatewavetahiti.com
www.kellyslaterfoundation.org
www.eol.ucar.edu
flowergarden.noaa.gov
www.stopextinction.org
www.sefsc.noaa.gov
deepwaterhorizon.noaa.gov
www.uscti.org
www.ncddc.noaa.gov
shiptracker.noaa.gov
aviationweather.gov
www.fly.faa.gov
www.weather.gov.
nationalatlas.gov
maps.nittec.org
www.sio.ucsd.edu
www.exploratorium.edu
icestories.exploratorium.edu
lwf.ncdc.noaa.gov
citizenshipblog.fedex.designcdt.com
www.sciencemag.org
www.wdcs-na.org
www.dolphinsmart.org
www.dolphinecology.org
www.floridakeys.noaa.gov
teacheratsea.noaa.gov
taterka.blogspot.com
gpsmet.noaa.gov
games.noaa.gov
www8.nos.noaa.gov
www.unep.org
ioos.gov
techserv.gso.uri.edu
ocgweb.marine.usf.edu
noaahrd.wordpress.com
www.whaletimes.org
www.ccamlr.org
www.auduboninstitute.org
www.vetmed.ufl.edu
visitor.r20.constantcontact.com
www.dolphinsafe.gov
farallones.noaa.gov
channelislands.noaa.gov
www.explore.noaa.gov
www.ua.nws.noaa.gov
coastalsmartgrowth.noaa.gov
secure.nssl.noaa.gov
www.nsf.gov
www.savesfbay.org
el.erdc.usace.army.mil
thomas.loc.gov
www.oceancommission.gov
www.darrp.noaa.gov
www.cbrestoration.noaa.gov
www.usgs.gov
pubs.usgs.gov
www.srh.weather.gov
era.noaa.gov
ciceet.unh.edu
www.nova.edu
jama.ama-assn.org
www.hsph.harvard.edu
www.usla.org
www.nwrfc.noaa.gov
www.ucar.edu
www.ncar.ucar.edu
www.floodsmart.gov
www.airquality.noaa.gov
webstunning.com
visitor.constantcontact.com
cioert.org
www.hboi.fau.edu
www.geoplatform.gov
ecowatch.ncddc.noaa.gov
cwcgom.aoml.noaa.gov
ready.arl.noaa.gov
www.oceanleadership.org
spot.nws.noaa.gov
uwf.edu
tulane.edu
www.ufl.edu
www.unh.edu
www.ucsb.edu
www.tamu.edu
www.unols.org
www.auburn.edu
www.mbari.org
www.msstate.edu
www.ceoe.udel.edu
www.ecu.edu
www.marine.usf.edu
www.marine.usm.edu
www.rsmas.miami.edu
www.esl.lsu.edu
www.apl.washington.edu
www.abdn.ac.uk
www.response.restoration.noaa.gov
rucool.marine.rutgers.edu
gulfseagrant.tamu.edu
www.crrc.unh.edu
www.hpc.ncep.noaa.gov
FBO.gov
grants.gov
www.recovery.gov
www.grants.gov
www.fbo.gov
recovery.commerce.gov
img.youtube.com
www.ioos.noaa.gov
oceanacidification.noaa.gov
www.star.nesdis.noaa.gov
www.droughtmonitor.unl.edu
www.fda.gov
beta2.w1.noaa.gov
archive.orr.noaa.gov
usa.gov
csc.noaa.gov
noaawatch.gov
www.rdc.noaa.gov
nosinternational.noaa.gov
inside.nos.noaa.gov
www.incidentnews.gov
nosdataexplorer.noaa.gov
searchstats.usa.gov
List of email addresses
------------------------
Description
------------------
List of all email addresses found on this host.
Barry.Reichenbaugh@noaa.gov
Bill.Zahner@noaa.gov
David.P.Miller@noaa.gov
john.sokich@noaa.gov
Leesha.Saunders@noaa.gov
Les.Adams@noaa.gov
NOAA.Recovery@noaa.gov
nos.web@noaa.gov
OLE.ComplaintHotline@noaa.gov
Paul.Taylor@noaa.gov
Penaltypolicy@noaa.gov
Ron.Gird@noaa.gov
webmaster@noaa.gov
III. PROOF OF CONCEPT
-------------------------
Cross site scripting
---------------------
/earthday/includes/video.php
img
vid
jQuery Cross Site Scripting
----------------------------
/deepwaterhorizon/video/oceanservice/js/jquery.js
/includes/jquery-1.4.2.min.js
/scripts/jquery-1.6.1.js
HTML form without CSRF protection
----------------------------------
/deepwaterhorizon
/deepwaterhorizon/maps/dissolved_maps.html
/deepwaterhorizon/maps/fishclose_maps.html
/deepwaterhorizon/maps/nautical_charts.html
/deepwaterhorizon/maps/traj_maps.html
/deepwaterhorizon/news/trans_index.html
/deepwaterhorizon/wildlife/index.html
Clickjacking: X-Frame-Options header missing
--------------------------------------------
Web Server
OPTIONS method is enabled
---------------------------
Web Server
Possible sensitive files
------------------------
/test.html
Cross site scripting
*********************
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be
trusted or not, it will execute the script in the user context allowing the attacker to access any cookies
or session tokens retained by the browser.
Attack details
---------------
URL encoded GET input img was set to
/earthday/images/sea_surface_speed.jpg?controls=1_903287"():;997910
The input is reflected inside <script> tag between double quotes
GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_903287%22%28%29%3a%3b997910&rel
=0&showinfo=0&version=3&vid=http://www.gfdl.noaa.gov/video/cm24sst.mov&vq=hd720
Variants
-------- (6)
IMG
----
Variant 1
URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_903287"():;997910
The input is reflected inside <script> tag between double quotes.
GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_903287%22%28%29%3a%3b997910&rel
=0&showinfo=0&version=3&vid=http://www.gfdl.noaa.gov/video/cm24sst.mov&vq=hd720
Variant 2
URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_917373"():;930946
The input is reflected inside <script> tag between double quotes
GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_917373%22%28%29%3a%3b930946&rel
=0&showinfo=0&version=3&vid=http://www.noaanews.noaa.gov/stories2008/images/Coral-web.mov&vq=hd720
Variant 3
URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_905819"():;976824
The input is reflected inside <script> tag between double quotes.
GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_905819%22%28%29%3a%3b976824&rel
=0&showinfo=0&version=3&vid=/earthday/videos/US-Indonesia_ocean_exploration.mov&vq=hd720
VID
---
Variant 1
URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_951831"():;987675
The input is reflected inside <script> tag between double quotes.
GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/sea_surface_speed.jpg?controls=1&rel=0&showinfo=0&version=3&vid
=http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_951831%22%28%29%3a%3b987675&vq=hd720
Variant 2
URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_985971"():;994650
The input is reflected inside <script> tag between double quotes.
GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/space_coralreef_monitoring.jpg?controls=1&rel=0&showinfo
=0&version=3&vid=http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_985971%22%28%29%3a%3b994650&vq=hd720
Variant 3
URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_928768"():;902834
The input is reflected inside <script> tag between double quotes.
GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/deepsea_US-Indonesia_ocean_exploration.jpg?controls
=1&rel=0&showinfo=0&version=3&vid=http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_928768%22%28%29%3a%3b902834&vq=hd720
JQuery Cross-Site Scripting
******************************
Vulnerability description
---------------------------
This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability.
Many sites are using to select elements using location.hash that allows someone to inject script into the page.
This problem was fixed in jQuery 1.6.3.
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a
user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user.
It is also possible to modify the content of the page presented to the user.
Affected items
--------------
/deepwaterhorizon/video/oceanservice/js/jquery.js
/includes/jquery-1.4.2.min.js
/scripts/jquery-1.6.1.js
Attack details
--------------
Pattern found:
/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com
GET /deepwaterhorizon/video/oceanservice/js/jquery.js
GET /includes/jquery-1.4.2.min.js
Pattern found:
/*!
* jQuery JavaScript Library v1.6.1
* http://jquery.com
GET /scripts/jquery-1.6.1.js
How to fix this vulnerability
------------------------------
Update to the latest version of jQuery
Clickjacking: X-Frame-Options header missing
*********************************************
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of
tricking a Web user into clicking on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page
in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
This vulnerability affects Web Server.
HTML form without CSRF protection
********************************
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF,
is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Affected items
---------------
/deepwaterhorizon
Form name: archived_newsletters
Form action: http://www.noaa.gov/deepwaterhorizon/
Form method: POST
Form inputs:
issue_links [Select]
/deepwaterhorizon/maps/dissolved_maps.html
Form name: april_traj1
Form action: http://www.noaa.gov/deepwaterhorizon/maps/dissolved_maps.html
Form method: POST
Form inputs:
april_day1 [Select]
/deepwaterhorizon/maps/fishclose_maps.html
Form name: april_traj1
Form action: http://www.noaa.gov/deepwaterhorizon/maps/fishclose_maps.html
Form method: POST
Form inputs:
april_day1 [Select]
/deepwaterhorizon/maps/nautical_charts.html
Form name: april_nautical
Form action: http://www.noaa.gov/deepwaterhorizon/maps/nautical_charts.html
Form method: POST
Form inputs:
april_day [Select]
/deepwaterhorizon/maps/traj_maps.html
Form name: april_traj1
Form action: http://www.noaa.gov/deepwaterhorizon/maps/traj_maps.html
Form method: POST
Form inputs:
april_day1 [Select]
/deepwaterhorizon/news/trans_index.html
Form name: may_trans
Form action: http://www.noaa.gov/deepwaterhorizon/news/trans_index.html
Form method: POST
Form inputs:
may_day [Select]
/deepwaterhorizon/wildlife/index.html
Form name: may_consolidated
Form action: http://www.noaa.gov/deepwaterhorizon/wildlife/index.html
Form method: POST
Form inputs:
day_report [Select]
The impact of this vulnerability
----------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
How to fix this vulnerability
------------------------------
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
The impact of this vulnerability
--------------------------------
An attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
How to fix this vulnerability
------------------------------
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
Sensitive Files
****************
/climateresources/test.html
/test.html
Slow response time
*******************
This page had a slow response time. The response time for this page was
4524 ms while the average response time for this site is 121.61 ms.
This types of files can be targetted in denial of service attacks.
An attacker can request this page repeatedly from multiple computers until the server becomes overloaded.
/sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls
/sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls
IV. BUSINESS IMPACT
-------------------------
I don´t Know ... Gov.. !!
V SOLUTION
------------------------
Write Secure Code.. Ask the NSA How to !!
VI. CREDITS
-------------------------
This vulnerability has been discovered
by
Author: Juan Carlos García
(@secnight)
https://habemuscurso.blogspot.com
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.