NOAA.gov XSS / CSRF / Clickjacking X-frame / DDOS (Slow response time) =================================================================== TIME-LINE VULNERABILITY Multiples Advisories but Not Response <webmaster@noaa.gov> Barry.Reichenbaugh@noaa.gov Bill.Zahner@noaa.gov David.P.Miller@noaa.gov john.sokich@noaa.gov Leesha.Saunders@noaa.gov Les.Adams@noaa.gov NOAA.Recovery@noaa.gov nos.web@noaa.gov OLE.ComplaintHotline@noaa.gov Paul.Taylor@noaa.gov Penaltypolicy@noaa.gov Ron.Gird@noaa.gov (...) I. VULNERABILITY ------------------------- #Title: NOAA.gov suffers from Cross Site Scripting / CSRF / Clickjacking X-frame and Slow response time Vulnerabilities #Vendor:http://www.noaa.gov/ #Author:Juan Carlos García (@secnight) #Follow US @habemuscurso @secnight II. DESCRIPTION ------------------------- NOAA is an agency that enriches life through science. Our reach goes from the surface of the sun to the depths of the ocean floor as we work to keep citizens informed of the changing environment around them. >From daily weather forecasts, severe storm warnings and climate monitoring to fisheries management, coastal restoration and supporting marine commerce, NOAA’s products and services support economic vitality and affect more than one-third of America’s gross domestic product. NOAA’s dedicated scientists use cutting-edge research and high-tech instrumentation to provide citizens, planners, emergency managers and other decision makers with reliable information they need when they need it. NOAA's roots date back to 1807, when the Nation’s first scientific agency, the Survey of the Coast, was established. Since then, NOAA has evolved to meet the needs of a changing country. NOAA maintains a presence in every state and has emerged as an international leader on scientific and environmental matters. NOAA’s mission touches the lives of every American and we are proud of our role in protecting life and property and conserving and protecting natural resources. I hope you will explore NOAA and how our products and services can enrich your own life. KNOWLEDGE BASE ************** List of file extensions ----------------------- Description -------------------- File extensions can provide information on what technologies are being used on this website. List of file extensions detected: html => 392 file(s) css => 36 file(s) js => 37 file(s) php => 8 file(s) swf => 20 file(s) htm => 2 file(s) txt => 1 file(s) dwt => 4 file(s) f4v => 6 file(s) flv => 3 file(s) pptx => 1 file(s) xls => 22 file(s) xlsx => 1 file(s) xml => 8 file(s) Top 10 response times ------------------ Description ------------ The files listed bellow had the slowest response times measured during the crawling process. The average response time for this site was 121.61 ms. These files could be targetted in denial of service attacks. ------------------------------------------------------ 1. /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls, response time 4524 ms GET /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 2. /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls, response time 4181 ms GET /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/sciencemissions/bpoilspill.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 3. /video/administrator/seattle/message_seattle_20090528.swf, response time 718 ms GET /video/administrator/seattle/message_seattle_20090528.swf HTTP/1.1 Pragma: no-cache Referer: http://www.noaa.gov/video/administrator/seattle/index.html Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: www.noaa.gov Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* 4. /video/administrator/acidification/lubchenco_acidification_20100319.swf, response time 608 ms GET /video/administrator/acidification/lubchenco_acidification_20100319.swf HTTP/1.1 5. /video/administrator/northeast/message_northeast_20090407.swf, response time 593 ms 6. /video/administrator/restoration/message_restoration_20090702.swf, response time 593 ms List of client scripts --------------------- Description ---------------- These files contain Javascript code referenced from the website. / /wallpaper/scripts/jquery.min.js /wallpaper/scripts/jquery.fancybox.js /slider/source/coin-slider.min.js /explore.js /loadEvents.js /includes/exit.js /includes/jquery-1.4.2.min.js /includes/content.js /includes/jquery.zrssfeed.min.js /includes/swfobject.js /scripts/AC_RunActiveContent.js /scripts/jquery-1.6.1.js /scripts/jquery.jcountdown.js /scripts/federated-analytics.js /scripts/swissarmy.js /media/exhibits/gallery/gallery_1/gfeedfetcher.js /media/exhibits/gallery/gallery_3/gfeedfetcher.js /media/exhibits/gallery/gallery_2/gfeedfetcher.js /media/exhibits/gallery/gallery_4/gfeedfetcher.js /media/exhibits/gfeedfetcher.js /earthday/scripts/lib/raphael.js /earthday/scripts/jquery.min.js /earthday/scripts/color.jquery.js /earthday/scripts/us-map.js /earthday/scripts/bg_animation.js /earthday/scripts/jquery.slides_rotation.js /earthday/scripts/jquery.slides_stories.js /earthday/scripts/jquery.fancybox.js /earthday/scripts/jwplayer.js /earthday/scripts/jquery.slides.js /deepwaterhorizon/video/video_clips/includes/swfobject_modified.js /deepwaterhorizon/video/oceanservice/js/jquery.js /deepwaterhorizon/video/oceanservice/js/jquery.hoverintent.minified.js /deepwaterhorizon/video/oceanservice/js/jquery.bgiframe.min.js /deepwaterhorizon/video/oceanservice/js/superfish.js /deepwaterhorizon/video/oceanservice/js/jquery.galleriffic.js /deepwaterhorizon/video/oceanservice/js/jquery.history.js /deepwaterhorizon/video/oceanservice/js/jquery.opacityrollover.js /deepwaterhorizon/video/oceanservice/foresee/foresee-trigger.js /deepwaterhorizon/video/search.usa.gov/javascripts/jquery/jquery.autocomplete.min.js /deepwaterhorizon/video/search.usa.gov/javascripts/sayt.js /deepwaterhorizon/video/cetrk.com/pages/scripts/0008/1868.js /deepwaterhorizon/scripts/rssdisplayer.js /deepwaterhorizon/scripts/AC_RunActiveContent.js /deepwaterhorizon/scripts/fadeslideshow.js /heat/scripts/flowplayer-3.2.6.min.js List of files with inputs ------------------------- Description ------------- These files have at least one input (GET or POST). / - 71 inputs /earthday/includes/video.php - 1 inputs /deepwaterhorizon - 1 inputs /deepwaterhorizon/video/oceanservice/deepwaterhorizon/oceanservice.noaa.gov/cgi-bin/redirout.cgi - 1 inputs /deepwaterhorizon/index.html - 1 inputs /deepwaterhorizon/news - 1 inputs /deepwaterhorizon/news/index.html - 1 inputs /deepwaterhorizon/news/trans_index.html - 5 inputs /deepwaterhorizon/maps/traj_maps.html - 23 inputs /deepwaterhorizon/maps/dissolved_maps.html - 2 inputs /deepwaterhorizon/maps/fishclose_maps.html - 6 inputs /deepwaterhorizon/maps/nautical_charts.html - 5 inputs /deepwaterhorizon/wildlife - 2 inputs /deepwaterhorizon/wildlife/index.html - 2 inputs /exit.html - 1 inputs /redirect.php - 1 inputs List of external hosts ---------------------- Description ------------- These hosts were linked from this website. search.usa.gov forecast.weather.gov www.usa.gov www.ready.gov www.climate.gov www.weather.gov nsd.rdc.noaa.gov www.commerce.gov www.youtube.com www.usda.gov www.homelandsecurity.noaa.gov www.ncdc.noaa.gov twitter.com www.facebook.com www.instagram.com www.rss.noaa.gov www.legislative.noaa.gov www.corporateservices.noaa.gov www.nws.noaa.gov www.pmel.noaa.gov www.cio.noaa.gov www.noaanews.noaa.gov oceanservice.noaa.gov s7.addthis.com weather.gov sec.noaa.gov www.spc.noaa.gov www.ncep.noaa.gov www.hurricanes.gov www.careers.noaa.gov www.nesdis.noaa.gov www.research.noaa.gov adds.aviationweather.gov www.spaceweather.noaa.gov www.noaawatch.gov www.history.noaa.gov usasearch.gov www.volunteer.noaa.gov www.ofa.noaa.gov www.publicaffairs.noaa.gov www.pco.noaa.gov www.wfm.noaa.gov www.nauticalcharts.noaa.gov www.ppi.noaa.gov www.nmfs.noaa.gov www.omao.noaa.gov www.economics.noaa.gov www.oceanservice.noaa.gov www.osec.doc.gov ocio.os.doc.gov mobile.weather.gov m.ocean.noaa.gov www.nhc.noaa.gov tsunami.csc.noaa.gov buoybay.noaa.gov market.android.com www.opc.ncep.noaa.gov mobile.tidesandcurrents.noaa.gov www.wrh.noaa.gov itunes.apple.com www.nnvl.noaa.gov www.education.noaa.gov code.jquery.com usgeo.gov ioos.noaa.gov www.earthobservations.org www.geonetcastamericas.noaa.gov www.epa.gov www.coris.noaa.gov nerrs.noaa.gov www.ndc.noaa.gov www.nurp.noaa.gov www.oesd.noaa.gov www.ndbc.noaa.gov www.nodc.noaa.gov coralreef.noaa.gov hawaiireef.noaa.gov www.seagrant.noaa.gov www.coralreef.noaa.gov oceanexplorer.noaa.gov response.restoration.noaa.gov sanctuaries.noaa.gov tidesandcurrents.noaa.gov mpa.gov www.csc.noaa.gov nowcoast.noaa.gov www.nerrs.noaa.gov stateofthecoast.noaa.gov coastalscience.noaa.gov ngs.woc.noaa.gov maps.csc.noaa.gov coastalmanagement.noaa.gov www.coastalmanagement.noaa.gov tidesonline.noaa.gov nauticalcharts.noaa.gov glakesonline.nos.noaa.gov geodesy.noaa.gov celebrating200years.noaa.gov www.oar.noaa.gov www.lib.noaa.gov www.swpc.noaa.gov www.nwr.noaa.gov www.esrl.noaa.gov www.fakr.noaa.gov swr.nmfs.noaa.gov sero.nmfs.noaa.gov www.fpir.noaa.gov www.cpc.ncep.noaa.gov www.oceanexplorer.noaa.gov www.nero.noaa.gov www.cpo.noaa.gov www.ngdc.noaa.gov www.gfdl.noaa.gov www.aoml.noaa.gov www.climate.noaa.gov www.drought.gov drought.gov www.st.nmfs.noaa.gov cpo.noaa.gov oar.noaa.gov uas.noaa.gov www.arl.noaa.gov www.nrc.noaa.gov explore.noaa.gov www.nssl.noaa.gov www.glerl.noaa.gov lci.hq.oar.noaa.gov research.noaa.gov www.oceanacidification.noaa.gov www.flickr.com aquaculture.noaa.gov pnt.gov www.osei.noaa.gov www.goes.noaa.gov www.sec.noaa.gov coastwatch.noaa.gov www.sarsat.noaa.gov www.oso.noaa.gov www.ssd.noaa.gov www.licensing.noaa.gov noaasis.noaa.gov coralreefwatch.noaa.gov www.osdpd.noaa.gov www.podcast.noaa.gov www.justice.gov alaskafisheries.noaa.gov www.fisheries.noaa.gov www.alaskafisheries.noaa.gov researchmatters.noaa.gov www.ofcm.gov www.gc.noaa.gov www.dco.noaa.gov www.ago.noaa.gov www.international.noaa.gov techpartnerships.noaa.gov 1.usa.gov youtu.be www.wildlifeadaptationstrategy.gov oceantoday.noaa.gov monitor.noaa.gov www.habitat.noaa.gov www.climatewatch.noaa.gov nrc.oarhq.noaa.gov noaaoceanscience.wordpress.com addthis.com www.foia.gov www.twitter.com www.google.com www.addthis.com support.google.com info.yahoo.com www.whitehouse.gov www.usna.usda.gov instagram.com www.aviationweather.gov ptwc.weather.gov cell.weather.gov nrc.noaa.gov americasclimatechoices.org www.gpo.gov globalchange.gov www.federalregister.gov www.napawash.org beta.w1.noaanews.noaa.gov www.gulfspillrestoration.noaa.gov www.restorethegulf.gov www.eeweek.org nctr.pmel.noaa.gov nnvl.noaa.gov www.arctic.noaa.gov preserveamerica.noaa.gov ocean.si.edu www.nasa.gov bit.ly go.usa.gov storms.ngs.noaa.gov droughtmonitor.unl.edu marinedebris.noaa.gov estuaries.noaa.gov www.nefsc.noaa.gov www.fishwatch.gov swfsc.noaa.gov www.norman.noaa.gov missionlog.noaa.gov www.bt.cdc.gov www.osha.gov www.pacsci.org www.sciencedirect.com www.spaceneedle.com pmel.noaa.gov books.nap.edu www.ostp.gov www.sab.noaa.gov www.nap.edu corporate.cq.com www.pnas.org frwebgate.access.gpo.gov commerce.senate.gov www.oig.doc.gov projects.ecr.gov www.iyor.org www.iyorcreative.com stellwagen.noaa.gov safeboating.erh.noaa.gov usinfo.state.gov www.ngs.noaa.gov www.tidesandcurrents.noaa.gov www.cop.noaa.gov www.whoi.edu images.google.com www.anstaskforce.gov www.seagrant.umn.edu www.nps.gov www.buoybay.org chesapeakebay.noaa.gov www.cdc.noaa.gov floridakeys.noaa.gov sarsat.noaa.gov www.beaconregistration.noaa.gov. www.cmts.gov www.salmonsafe.org www.fishfriendlyfarming.org www.moc.noaa.gov www.ccfhr.noaa.gov www.sanctuaries.noaa.gov www.FishWatch.noaa.gov www.aquaculture.noaa.gov cecf1.unh.edu www.tsunami.noaa.gov www.ripcurrents.noaa.gov www.lightningsafety.noaa.gov www.mpa.gov co-ops.nos.noaa.gov tidesonline.nos.noaa.gov www.erh.noaa.gov www.co-ops.nos.noaa.gov www.argo.ucsd.edu www.gcrmn.org www.gefcoral.org coralreefwatch-satops.noaa.gov secondlife.com www.scilands.org www.natice.noaa.gov cimas.rsmas.miami.edu www.stormready.noaa.gov www.chbr.noaa.gov tadd.weather.gov www.bestpub.com www.ntis.gov ccma.nos.noaa.gov tsunami.gov www.prh.noaa.gov www.tsunamiready.noaa.gov wcatwc.arh.noaa.gov nthmp.tsunami.gov www.sdr.gov www.extension.washington.edu www.bu.edu www.smast.umassd.edu www.tuna-org.org www.alfafish.org www.alaskansown.com www.atamerica.or.id statedept.connectsolutions.com www.uas.alaska.edu www.americorps.gov www.adfg.alaska.gov www.afsc.noaa.gov www.britannica.com rtc.sfsu.edu www.sitkasoundsciencecenter.org www.serc.si.edu www.invasivespeciesinfo.gov sites.google.com sea-mdi.engr.uga.edu www.marinedebris.engr.uga.edu esrl.noaa.gov cires.colorado.edu onlinelibrary.wiley.com carteretcatch.org www.walking-fish.org www.beaconregistration.noaa.gov ajax.googleapis.com www.nswp.gov www.metoffice.gov.uk www.safeboatingcouncil.org www.esa.doc.gov www.epp.noaa.gov fosterscholars.noaa.gov www.nifc.gov www.apple.com nsidc.org www.aoc.noaa.gov www.nws.gov hmt.noaa.gov rsbl.royalsocietypublishing.org www.intranet.noaa.gov ozone.unep.org www.geosummit.org www.jpl.nasa.gov water.weather.gov www.srh.noaa.gov www.uscg.mil pafc.arh.noaa.gov pafg.arh.noaa.gov paom.arh.noaa.gov cgvi.uscg.mil www.jpss.noaa.gov earthobservatory.nasa.gov www.ctia.org www.amberalert.gov www.fema.gov transition.fcc.gov www.ras.org.uk www.solarstorms.org helios.swpc.noaa.gov articles.adsabs.harvard.edu www.crh.noaa.gov www.noaacorps.noaa.gov www.portno.com www.bts.gov www.deepwaterhorizonresponse.com www.nwfsc.noaa.gov www.seafood.nmfs.noaa.gov www.gsa.gov seagrant.oregonstate.edu extension.oregonstate.edu geo.oregonstate.edu oregonstate.edu vaac.arh.noaa.gov www.adobe.com www.volcano.si.edu rapidfire.sci.gsfc.nasa.gov wisdom.noaa.gov www.nmsfocean.org www.thankyouocean.org www.coastalamerica.gov www.quiksilverfoundation.org www.ultimatewavetahiti.com www.kellyslaterfoundation.org www.eol.ucar.edu flowergarden.noaa.gov www.stopextinction.org www.sefsc.noaa.gov deepwaterhorizon.noaa.gov www.uscti.org www.ncddc.noaa.gov shiptracker.noaa.gov aviationweather.gov www.fly.faa.gov www.weather.gov. nationalatlas.gov maps.nittec.org www.sio.ucsd.edu www.exploratorium.edu icestories.exploratorium.edu lwf.ncdc.noaa.gov citizenshipblog.fedex.designcdt.com www.sciencemag.org www.wdcs-na.org www.dolphinsmart.org www.dolphinecology.org www.floridakeys.noaa.gov teacheratsea.noaa.gov taterka.blogspot.com gpsmet.noaa.gov games.noaa.gov www8.nos.noaa.gov www.unep.org ioos.gov techserv.gso.uri.edu ocgweb.marine.usf.edu noaahrd.wordpress.com www.whaletimes.org www.ccamlr.org www.auduboninstitute.org www.vetmed.ufl.edu visitor.r20.constantcontact.com www.dolphinsafe.gov farallones.noaa.gov channelislands.noaa.gov www.explore.noaa.gov www.ua.nws.noaa.gov coastalsmartgrowth.noaa.gov secure.nssl.noaa.gov www.nsf.gov www.savesfbay.org el.erdc.usace.army.mil thomas.loc.gov www.oceancommission.gov www.darrp.noaa.gov www.cbrestoration.noaa.gov www.usgs.gov pubs.usgs.gov www.srh.weather.gov era.noaa.gov ciceet.unh.edu www.nova.edu jama.ama-assn.org www.hsph.harvard.edu www.usla.org www.nwrfc.noaa.gov www.ucar.edu www.ncar.ucar.edu www.floodsmart.gov www.airquality.noaa.gov webstunning.com visitor.constantcontact.com cioert.org www.hboi.fau.edu www.geoplatform.gov ecowatch.ncddc.noaa.gov cwcgom.aoml.noaa.gov ready.arl.noaa.gov www.oceanleadership.org spot.nws.noaa.gov uwf.edu tulane.edu www.ufl.edu www.unh.edu www.ucsb.edu www.tamu.edu www.unols.org www.auburn.edu www.mbari.org www.msstate.edu www.ceoe.udel.edu www.ecu.edu www.marine.usf.edu www.marine.usm.edu www.rsmas.miami.edu www.esl.lsu.edu www.apl.washington.edu www.abdn.ac.uk www.response.restoration.noaa.gov rucool.marine.rutgers.edu gulfseagrant.tamu.edu www.crrc.unh.edu www.hpc.ncep.noaa.gov FBO.gov grants.gov www.recovery.gov www.grants.gov www.fbo.gov recovery.commerce.gov img.youtube.com www.ioos.noaa.gov oceanacidification.noaa.gov www.star.nesdis.noaa.gov www.droughtmonitor.unl.edu www.fda.gov beta2.w1.noaa.gov archive.orr.noaa.gov usa.gov csc.noaa.gov noaawatch.gov www.rdc.noaa.gov nosinternational.noaa.gov inside.nos.noaa.gov www.incidentnews.gov nosdataexplorer.noaa.gov searchstats.usa.gov List of email addresses ------------------------ Description ------------------ List of all email addresses found on this host. Barry.Reichenbaugh@noaa.gov Bill.Zahner@noaa.gov David.P.Miller@noaa.gov john.sokich@noaa.gov Leesha.Saunders@noaa.gov Les.Adams@noaa.gov NOAA.Recovery@noaa.gov nos.web@noaa.gov OLE.ComplaintHotline@noaa.gov Paul.Taylor@noaa.gov Penaltypolicy@noaa.gov Ron.Gird@noaa.gov webmaster@noaa.gov III. PROOF OF CONCEPT ------------------------- Cross site scripting --------------------- /earthday/includes/video.php img vid jQuery Cross Site Scripting ---------------------------- /deepwaterhorizon/video/oceanservice/js/jquery.js /includes/jquery-1.4.2.min.js /scripts/jquery-1.6.1.js HTML form without CSRF protection ---------------------------------- /deepwaterhorizon /deepwaterhorizon/maps/dissolved_maps.html /deepwaterhorizon/maps/fishclose_maps.html /deepwaterhorizon/maps/nautical_charts.html /deepwaterhorizon/maps/traj_maps.html /deepwaterhorizon/news/trans_index.html /deepwaterhorizon/wildlife/index.html Clickjacking: X-Frame-Options header missing -------------------------------------------- Web Server OPTIONS method is enabled --------------------------- Web Server Possible sensitive files ------------------------ /test.html Cross site scripting ********************* Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Attack details --------------- URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_903287"():;997910 The input is reflected inside <script> tag between double quotes GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_903287%22%28%29%3a%3b997910&rel =0&showinfo=0&version=3&vid=http://www.gfdl.noaa.gov/video/cm24sst.mov&vq=hd720 Variants -------- (6) IMG ---- Variant 1 URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_903287"():;997910 The input is reflected inside <script> tag between double quotes. GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_903287%22%28%29%3a%3b997910&rel =0&showinfo=0&version=3&vid=http://www.gfdl.noaa.gov/video/cm24sst.mov&vq=hd720 Variant 2 URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_917373"():;930946 The input is reflected inside <script> tag between double quotes GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_917373%22%28%29%3a%3b930946&rel =0&showinfo=0&version=3&vid=http://www.noaanews.noaa.gov/stories2008/images/Coral-web.mov&vq=hd720 Variant 3 URL encoded GET input img was set to /earthday/images/sea_surface_speed.jpg?controls=1_905819"():;976824 The input is reflected inside <script> tag between double quotes. GET /earthday/includes/video.php?autoplay=0&img=%2fearthday%2fimages%2fsea_surface_speed.jpg%3fcontrols%3d1_905819%22%28%29%3a%3b976824&rel =0&showinfo=0&version=3&vid=/earthday/videos/US-Indonesia_ocean_exploration.mov&vq=hd720 VID --- Variant 1 URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_951831"():;987675 The input is reflected inside <script> tag between double quotes. GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/sea_surface_speed.jpg?controls=1&rel=0&showinfo=0&version=3&vid =http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_951831%22%28%29%3a%3b987675&vq=hd720 Variant 2 URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_985971"():;994650 The input is reflected inside <script> tag between double quotes. GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/space_coralreef_monitoring.jpg?controls=1&rel=0&showinfo =0&version=3&vid=http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_985971%22%28%29%3a%3b994650&vq=hd720 Variant 3 URL encoded GET input vid was set to http://www.gfdl.noaa.gov/video/cm24sst.mov_928768"():;902834 The input is reflected inside <script> tag between double quotes. GET /earthday/includes/video.php?autoplay=0&img=/earthday/images/deepsea_US-Indonesia_ocean_exploration.jpg?controls =1&rel=0&showinfo=0&version=3&vid=http%3a%2f%2fwww.gfdl.noaa.gov%2fvideo%2fcm24sst.mov_928768%22%28%29%3a%3b902834&vq=hd720 JQuery Cross-Site Scripting ****************************** Vulnerability description --------------------------- This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Affected items -------------- /deepwaterhorizon/video/oceanservice/js/jquery.js /includes/jquery-1.4.2.min.js /scripts/jquery-1.6.1.js Attack details -------------- Pattern found: /*! * jQuery JavaScript Library v1.4.2 * http://jquery.com GET /deepwaterhorizon/video/oceanservice/js/jquery.js GET /includes/jquery-1.4.2.min.js Pattern found: /*! * jQuery JavaScript Library v1.6.1 * http://jquery.com GET /scripts/jquery-1.6.1.js How to fix this vulnerability ------------------------------ Update to the latest version of jQuery Clickjacking: X-Frame-Options header missing ********************************************* Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. This vulnerability affects Web Server. HTML form without CSRF protection ******************************** Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected items --------------- /deepwaterhorizon Form name: archived_newsletters Form action: http://www.noaa.gov/deepwaterhorizon/ Form method: POST Form inputs: issue_links [Select] /deepwaterhorizon/maps/dissolved_maps.html Form name: april_traj1 Form action: http://www.noaa.gov/deepwaterhorizon/maps/dissolved_maps.html Form method: POST Form inputs: april_day1 [Select] /deepwaterhorizon/maps/fishclose_maps.html Form name: april_traj1 Form action: http://www.noaa.gov/deepwaterhorizon/maps/fishclose_maps.html Form method: POST Form inputs: april_day1 [Select] /deepwaterhorizon/maps/nautical_charts.html Form name: april_nautical Form action: http://www.noaa.gov/deepwaterhorizon/maps/nautical_charts.html Form method: POST Form inputs: april_day [Select] /deepwaterhorizon/maps/traj_maps.html Form name: april_traj1 Form action: http://www.noaa.gov/deepwaterhorizon/maps/traj_maps.html Form method: POST Form inputs: april_day1 [Select] /deepwaterhorizon/news/trans_index.html Form name: may_trans Form action: http://www.noaa.gov/deepwaterhorizon/news/trans_index.html Form method: POST Form inputs: may_day [Select] /deepwaterhorizon/wildlife/index.html Form name: may_consolidated Form action: http://www.noaa.gov/deepwaterhorizon/wildlife/index.html Form method: POST Form inputs: day_report [Select] The impact of this vulnerability ---------------------------------- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability ------------------------------ Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. The impact of this vulnerability -------------------------------- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability ------------------------------ Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. Sensitive Files **************** /climateresources/test.html /test.html Slow response time ******************* This page had a slow response time. The response time for this page was 4524 ms while the average response time for this site is 121.61 ms. This types of files can be targetted in denial of service attacks. An attacker can request this page repeatedly from multiple computers until the server becomes overloaded. /sciencemissions/brooksmccall/BrooksMcCall09_Jun22_26_2010.xls /sciencemissions/jackfitz/DWH_AlphaEDDs_1005011_5012_5013_5014_100727.xls IV. BUSINESS IMPACT ------------------------- I don´t Know ... Gov.. !! V SOLUTION ------------------------ Write Secure Code.. Ask the NSA How to !! VI. CREDITS ------------------------- This vulnerability has been discovered by Author: Juan Carlos García (@secnight) https://habemuscurso.blogspot.com VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.