Stored XSS chain on NASA VDP

Greetings Readers,

I hope this message finds you in excellent spirits and eager for the exciting developments in our cybersecurity exploration! Today, I’m delighted to share an insightful discovery regarding the NASA VDP program, a journey that has led to uncovering intriguing vulnerabilities alongside my esteemed collaborator, QNSx.

Our initial quest bore fruit with the identification of 9 P3 vulnerabilities, yet our thirst for more impactful findings persisted. Through perseverance and diligent investigation, we delved deeper into the system, unveiling a remarkable vulnerability that opens doors to intriguing possibilities.

As I navigated through the sub.redacted.com domain, a significant vulnerability revealed itself. This flaw not only presented an opportunity for a self-XSS attack, a starting point that paved the way for an even more significant escalation in our exploration.

Undeterred by challenges, I embarked on further exploration, which led me to uncover an IDOR vulnerability with an element of unpredictability, adding an exhilarating twist to our journey. However, amidst these challenges, a beacon of opportunity emerged in the form of an API endpoint. This endpoint not only provided access to user filter IDs without authentication but also revealed a fascinating pattern waiting to be unraveled.

What makes this journey even more exciting is the range of actions enabled by the mode=list feature of the API endpoint. From renaming and saving to deletion of filters, the possibilities are vast and promising.

Join me as we embark on this journey towards leveraging the Self+XSS chain combined with IDOR to unlock the potential of Stored XSS.

While experimenting with the filters, I discovered numerous endpoints and potential avenues for exploration.

Unauthenticated Filter Saving Endpoint (POST to GET conversion):

Endpoint: https://sub.redacted.gov/Redacted/SaveSearchFilterSvc?mode=save&name=SELF-XSS PAYLOAD HERE&userid=123612368&list_mode=list&log_type=user_saved&filter_list

I have conducted an analysis regarding the generation of user IDs and have identified a discernible pattern in the sequence of IDs. For instance, user IDs exhibit a progressive or foreseeable pattern, such as commencing with “1235XXXXX” on one day and progressing to “1236XXXXX” on subsequent days. It appears that this pattern undergoes gradual changes either after a specific number of registrations or after a certain period.

Here are examples of the observed user IDs:

123568050 (yesterday)123612368 (today)123617537 (today)123617537 (today)

The potential variations in the XXXX portion range from 00000 to 99999, amounting to 100,000 possibilities. While this may seem substantial, it is a manageable range. In light of this analysis, we are presented with two options for exploiting this pattern:

To illustrate the gravity of these vulnerabilities, I developed a Python script to systematically iterate through user IDs and identify those with active filters, subsequently renaming them. However, I find this approach less practical as it assumes that users consistently utilize filters during the account creation process, which may not always be the case.Alternatively, we could adopt a strategy of retroactively searching for old patterns or injecting potential future patterns into the system. By doing so, any attempt to utilize filters or interact with these IDs would trigger an injection, thus enhancing security measures.

Our expedition through this program has been a testament to the power of curiosity, collaboration, and continuous learning in the realm of cybersecurity. Thank you for being part of this inspiring world. Let’s continue to lead by example, inspire change, and build a safer, more secure digital future for generations to come.

Never give up!