funsec mailing list archives

Re: Security problems at the NSA Web site?

From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 28 Dec 2005 18:02:32 +0000

On Tue, 2005-12-27 at 11:20 -0500, Richard M. Smith wrote:

I just tried applying for a job at nsa.gov and got this error message:
 
https://www.nsa.gov/servlets/iclientservlet/applyonline/?ICType=Panel&Menu=ROLE_APPLICANT&Market=GBL&PanelGroupName=HR_RESUME_ADD_APP


I've seen a couple of SQL injection and XSS bugs in the NSAs site. I
notified them to a few different email addresses but received no
response. I publicised one of the more tame vulnerabilities in the hope
it would spur them on to fix the issues the site has but they have
ignored the private and public postings. After publicising that
vulnerability I received a few emails from friends/others with details
of even more vulnerabilities (one of them was the same one you've
experienced I believe). They don't take security of their public site
seriously for one reason or another. There have been lots of speculation
on this from ignorance to baiting and even recruiting techniques. None
of which I'd care to comment on.

Point is they just don't fix it.

Tanget Alert. Anyone come across websites that actually use XSS as part
of the application ? ie... URL's generated which, by design, have
scripting in them in order to generate page content. We've all seen this
a lot with the common error_message="string" parameters in the URL for
lazy error processing. Recently, however, I come across an instance
where they created a javascript back link by passing the entire <A> tag
with accompanying javascript in the URL! Obviously exploiting this for
XSS is even more trivial than the error message laziness.

I find ignorance of the implications of this in some sites quite
surprising. Considering how well publicised this information now is.


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Security problems at the NSA Web site? Richard M. Smith (Dec 27)
- Re: Security problems at the NSA Web site? Gadi Evron (Dec 27)
- Re: Security problems at the NSA Web site? Paul Schmehl (Dec 27)
- Re: Security problems at the NSA Web site? Barrie Dempster (Dec 28)
  - Re[2]: Security problems at the NSA Web site? Pierre Vandevenne (Dec 28)
  - Re: Security problems at the NSA Web site? Paul Schmehl (Dec 28)
    - Re: Security problems at the NSA Web site? Barrie Dempster (Dec 28)