HOW I HACKED NASA?

Hi Guyz,

My name is Krishnadev P Melevila. I am a security researcher working for many startups. To know more about me, Just search me on Google.

It’s dream of every security researcher to be there on hall of fame page of NASA.

I also started researching on NASA’s infrastructure to grab that position.

The vulnerability should be minimum of P3 level to be there to get listed on HoF of NASA., I had submitted a total of 3 reports, where two of them got P5 and closed as informational, So with each submission my inner mind was crying hard for that HoF.

That day came in.

I started with enumerating the subdomains of nasa.gov.in, I used the tool called subdomainfinder https://subdomainfinder.c99.nl/ .

Listed a large set of subdomains, But no luck, tried for days, weeks and months. I almost lost my hope.

Then I checked the scopes on bugcrowd, There was one domain called globe.gov. I started enumerating subdomains of that domain.

And I came to a subdomain called: datasearch.globe.gov

Now its time to start:

Let’s put in the attacker’s shoe

Visit: https://datasearch.globe.gov/Click on Site filtersType any “Site name” filterSelect any protocol filterSetup the burpsuite proxy on and click on share button at top of page.On the burp, modify the “text” parameter of key “0” of “filter_list” parameter to <img src=x onerror=alert(1)>

7. Don’t forget to encode the request as in 3rd figure,

8. Now forward the request and get the share link from browser.

Now if we check this link: https://vis.globe.gov/GLOBE/?vis_mode=adat&load_filter=1124768045844738315

It will trigger XSS! (IT IS FIXED AS OF NOW!)

TIMELINE:

Reported: 01 Mar 2024 04:33:14 UTC

Triaged: 01 Mar 2024 09:46:05 UTC

First response from NASA: 04 Mar 2024 22:24:11 UTC

Token of appreciation and HoF: 27 Mar 2024 13:16:14 UTC

Don’t forget to follow me on Medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm

My Instagram handle: https://instagram.com/krishnadev_p_melevila

My Twitter handle: https://twitter.com/Krishnadev_P_M

My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/