Hi everyone!! I’m Vikram, and welcome back to another interesting write-up. Today, I’m excited to share my experience of discovering a stored + blind xss on one of NASA’s subdomains. This journey has been a mix of learning, perseverance, and, of course, a bit of adrenaline. Let’s dive into it.
PS: I’ve included an introduction sharing my thoughts, motivation behind hunting on this program. If you’re more interested in the technical details and the vulnerability discovery process, feel free to skip ahead to “Vulnerability Hunt” section!
Why i started
It all started a few months ago when I kept seeing people proudly sharing NASA appreciation letters on LinkedIn, Instagram, and other platforms. To be honest, seeing them “flex” sparked an urge in me — I wanted one too! I reached out to seniors and friends to ask how to get it and how challenging it might be. Huge thanks to them for motivating me, assuring me that I could do it. While I had reported bugs before, tackling a Vulnerability Disclosure Program (VDP) like NASA’s was an entirely new and exciting experience for me.
Enough of my story lets get down to hacking.
The Vulnerability Hunt
NASA has four main domains in scope for its Vulnerability Disclosure Program (VDP). To begin my assessment, I collected all the subdomains using tools like Subfinder, Sublist3r, and Amass. Once I compiled the list of subdomains, I started manually exploring some of the unique ones to understand their functionality and structure.
While inspecting these subdomains, I came across one of particular interest:https://mcl-labcas.jpl.nasa.gov/labcas-ui/s/index.html?search=*
The website appeared to be tailored for users accessing scientific or research data, with a clean and functional design. During my exploration, I noticed a custom search functionality that caught my attention. I was curious to see how it handled input, especially since the search queries were not only reflected on the page but were also stored permanently on the server and reloaded on the interface.
To test for vulnerabilities, I attempted to save an XSS payload by entering <script>alert("Hello")</script>
. However, the input was sanitized on the client side, preventing the special characters from being saved.
As any pentester or bug hunter would do, I intercepted the request using Caido and manipulated the payload to bypass the client-side filters.
I tried injecting <script>al\u0065rt('hello')</script>
, and boom !! i found out that it wasn't just reflected in my browser but stored on the server. It executed on every browser or device visiting the affected page, confirming it as a Stored XSS.
Buzz lightyear was right haha.
To demonstrate the impact further, I deployed a blind XSS payload via xss.report. The payload successfully triggered, capturing sensitive information such as user cookies, IP addresses, and session details, effectively showing how this could be exploited to hijack user accounts.
Chaos
After gathering all the necessary information, I compiled a detailed report explaining the vulnerability’s impact, along with a clear proof of concept (PoC). but guess what !!
Despite providing a detailed report with a clear PoC, the Bugcrowd triager marked my submission as P5 (Informational), dismissing it as self-XSS. What’s frustrating is that they didn’t even visit the vulnerable page to verify the issue.
It’s concerning to see a significant vulnerability capable of compromising user data and affecting the organization’s reputation being misclassified. Accurate triaging is essential to ensure impactful vulnerabilities are recognized and properly addressed.
but then one of my friend which really helped me through the whole process suggested to re report the vulnerability as they dont even check the reply of their sent message.
After reporting it again, the vulnerability was finally triaged! It was later fixed, and the affected search-saving functionality was removed entirely.
Getting my first triaged report felt like a dream come true. After a month of reading writeups, watching PoCs on YouTube, and hunting persistently despite moments of doubt, it all paid off. Receiving that appreciation letter was everything I had worked for.
At the end. To anyone reading this: never lose hope. Keep learning, keep pushing, and trust that your hard work will pay off one day.
Thank you soo much for reading my writeup, Hope ya’ll liked it, i tried my best to share my experience and keep it insightful.
Untill next time.Happy hacking !!
Don’t forget to follow my socials : Github, Instagram and Linkedin.