NASA NODIS Cross Site Scripting

Credit: Binit Ghimire
Risk: Low
Local: No
Remote: Yes

Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability. Vulnerable URLs: 1. 2. Proof-of-Concept (PoC) Video: How to Reproduce? Step 1: Visit Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0". Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload: <svg/onload=alert(document.domain)> You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting and then forwarding the request. I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report. Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed. Author Details: Name: Binit Ghimire Profile: Webpage: Twitter: @WHOISbinit ( Facebook Page: Facebook Profile: GitHub: LinkedIn:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top