Beyond Vulnerabilities: Securing a Spot in NASA’s Hall of Fame

Greetings, everyone!

Thank you for returning to follow my another write-up. This is my First write-up of 2024 . In today’s discussion, we will dive into a vulnerability. Specifically, I will be detailing how I identified Bugs and HOF(Hall Of Frame) in NASA .Without further delay, let us navigate through the intricacies of this discovery.

My name is Mohaseen , I’m a cyber security enthusiast and a bug bounty hunter. I am learning about bug bounty and web application hacking from 2019 . And I love what I do.

Now let’s understand the bug.

I dont think it requires any Introduction,But as per our legacy. The National Aeronautics and Space Administration(NASA) is an independent agency of the U.S. federal government responsible for the civil space program, aeronautics research, and space research

In NASA i have submitted various reports and in this write-up lets have a basic view of all them.In my routine reconnaissance of the site,I started by listing out subdomains using my own bash script. After checking the live ones (cat alive.txt) and opening all the URLs with a multi-URL extension in Firefox, I encountered various HTTP status codes like 404, 200, and 403.

I got this three bugs using Google Dorking. After i analyzed all the subdomain i started google dorking by using various dorks and combining them together. They used to disclosure Information about the system and their server configuration and error in their system.

I recently reported a text injection bug in nasa which got me P5. which i dont like to mention here.

The vulnerabilities discovered at NASA have significant implications for the organization’s cybersecurity. The exposure of detailed server configurations and publicly available errors opens avenues for potential exploitation, while direct access to an outdated Nginx server poses a tangible risk.

The Google Dorking findings underline the potential for malicious actors to leverage system information, server configurations, and existing errors for targeted attacks on NASA’s network. The P5-classified text injection bug adds an additional layer of concern, as it could lead to unauthorized access or manipulation of sensitive data.

I made a detailed report outlining my findings and submitted it. Within 2–3 days, I received confirmation that the bug had been triaged, and shortly after a day i got the conformation that my 2 report were valid and duplicate . However 2 of my bugs for valid and unique , they only operated a Vulnerability Disclosure Program (VDP) on Bugcrowd, without providing any points or reward🥲.But Got HOF in NASA

This way i got my first HOF in NASA

Getting first HOF is very great feeling. Thank you Infosec community for sharing the knowledge.

I hope you learned something new reading this. Thank you so much for reading. Have a great day😊!