How i hacked NASA (WARNING: Dad Jokes)

Thank You Nasa!

Hey there, it’s me again, rootplinix… I mean, Abu Hurayra…okay, the5orcerer… n30r0n. Yeah, yeah, I’ve got a lot of names in my dictionary, but let’s stick with the essentials. So, hello, folks! Here I am — a daytime hunter and nighttime writer. Well, honestly, I’m just an all-the-time hunter and writer. (Can’t craft a better lie than that one, right?)

Let’s jump right into the story. I was doing my usual routine, scrolling through Medium like it was my day job. But, as usual, finding something interesting was like digging for gold. After a solid 10 minutes of scrolling, I decided, “Eh, let’s check out Twitter.” (Oh, by the way, you can follow me for some top-tier dad jokes there). Anyway, while I was mindlessly scrolling again, I stumbled upon a post. Someone had posted a picture of an acceptance letter from NASA. This person also had a Medium article — no, a write-up — wait, a PoC. (Honestly, I’m still not sure what the exact difference is between those).

So, back to Medium I went, reading the article not once but twice. And after that, I had this epiphany — I want this, and I want it badly. Long story short, I reported three or four bugs…all marked N/A or Informative. (Believe me, I tried to make them eat my Host Header Injection bug. {evil emoji}).

After that little hiccup, I decided, “Okay, this time, I’m aiming for some serious P1 or P2 bugs, no more of that P3 or P4 stuff.”
Soon enough, I came across a vulnerability: an Apache load balancer exposed by default, (Thanks to my fuzzing dicts) and I thought, “Hmm, I could redirect NASA’s traffic elsewhere with this.” You know what load balancers are capable of, right?

A load balancer is like a bouncer for network traffic, directing it across servers (cloud or on-perm) to keep an application running smoothly.
Source: F5 Networks Glossary (Another source; trust me man! we’re friends, you can take my word on it)

So, I reported this big catch and took a break, vanishing from the bug-hunting scene for 24 hours. Then, when I was in some random place trying to find my way home on Google Maps, I got a notification from Bugcrowd. Guess what? The triager marked my report as N/A. Not even a low or informative, just straight-up N/A. I didn’t argue — I don’t do that. I believe, “Actions speak louder than words.”

Sad story in one line :(

After a bit of a private meltdown (okay, I didn’t actually cry in the bathroom), I recharged and revisited the same vulnerability. I asked myself why the triager marked it as N/A, so I started retesting. Turned out, it wasn’t redirecting traffic after all. But here’s the thing — it was still a bug because it exposed the load balancer, which could lead to bigger security issues. In a fit of frustration, I started hitting my keyboard like a madman, and that’s when I noticed something: tomcat://. I paused, took a breath, and tried changing the URL. I swapped in evil.com just for kicks. At first, it took a few seconds to make a POST request, and when I refreshed the site, everything looked normal. But then, when I pressed F5, boom! The entire site vanished.

The moment before disaster.

Ping requests were bouncing back the domain’s IP, but I couldn’t reach the site — WAF block, maybe? I tried a disposable browser, then online proxies like Croxyproxy and Hidemyass, and…nothing. All of them failed to load the site. For triple confirmation, I used some online ping tools, and they all showed failure messages. I was like, “What in the world did I just do?”

The moment after tornado :)

I immediately reported back to NASA. In my rush, I managed to put together an explanation, describing everything from my initial N/A to crashing the entire server. I also pointed out that the triager’s N/A status on my first report had driven me to hit my keyboard in frustration until the server just…well, crashed. The triager replied in seconds, almost blaming me. I repeated my story, and then another triager jumped in. Suddenly, they were all playing some private round of Uno with NASA in the messages.

Days passed — 10 of them — and I got no updates. Just waiting, watching them message back and forth like I was binging a Marvel series with popcorn in hand. Five more days passed, and they finally marked it as P2 and labeled it “Unresolved.” Three more days later, the bug was fixed, and that was that.

Final moment and my happy moment :)

And here I am, reflecting on the journey it took to break my keyboard for this. But hey, I got it! Honestly, I thought finding a single bug on NASA would be a whole new level of insanity, but I realized that with some persistence, even the static or server-related bugs out there are waiting to be found — they’re just a bit complex, like an adventure.

Takeaway? When in doubt, break your keyboard. (Think like the triager: “Why did the triager mark this as N/A?” Reflect on that, dig deeper, and you might just uncover a whole new layer of the bug)
And thanks to my beloved evil triager, who turned my N/A into a P2. (I still believe it deserved a P1, but you know, no arguing — arguing only makes you lazy like my cat!)

Apache Load Balancer: Distributes network traffic across servers for scalability and fault tolerance. Critical for maintaining balanced server loads to prevent downtime.Tomcat Protocol (tomcat://): A URL scheme used in load balancing configurations, particularly with Apache servers that can be sensitive to misconfigurations and can cause server misdirections.WAF (Web Application Firewall): Filters and monitors HTTP requests, blocking potentially harmful traffic based on security policies.

Hope you enjoy the “break your keyboard” story!