funsec mailing list archives
Re: Security problems at the NSA Web site?
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 28 Dec 2005 18:02:32 +0000
On Tue, 2005-12-27 at 11:20 -0500, Richard M. Smith wrote:
I just tried applying for a job at nsa.gov and got this error message: https://www.nsa.gov/servlets/iclientservlet/applyonline/?ICType=Panel&Menu=ROLE_APPLICANT&Market=GBL&PanelGroupName=HR_RESUME_ADD_APP
I've seen a couple of SQL injection and XSS bugs in the NSAs site. I notified them to a few different email addresses but received no response. I publicised one of the more tame vulnerabilities in the hope it would spur them on to fix the issues the site has but they have ignored the private and public postings. After publicising that vulnerability I received a few emails from friends/others with details of even more vulnerabilities (one of them was the same one you've experienced I believe). They don't take security of their public site seriously for one reason or another. There have been lots of speculation on this from ignorance to baiting and even recruiting techniques. None of which I'd care to comment on. Point is they just don't fix it. Tanget Alert. Anyone come across websites that actually use XSS as part of the application ? ie... URL's generated which, by design, have scripting in them in order to generate page content. We've all seen this a lot with the common error_message="string" parameters in the URL for lazy error processing. Recently, however, I come across an instance where they created a javascript back link by passing the entire <A> tag with accompanying javascript in the URL! Obviously exploiting this for XSS is even more trivial than the error message laziness. I find ignorance of the implications of this in some sites quite surprising. Considering how well publicised this information now is. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Attachment:
smime.p7s
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security problems at the NSA Web site? Richard M. Smith (Dec 27)
- Re: Security problems at the NSA Web site? Gadi Evron (Dec 27)
- Re: Security problems at the NSA Web site? Paul Schmehl (Dec 27)
- Re: Security problems at the NSA Web site? Barrie Dempster (Dec 28)
- Re[2]: Security problems at the NSA Web site? Pierre Vandevenne (Dec 28)
- Re: Security problems at the NSA Web site? Paul Schmehl (Dec 28)
- Re: Security problems at the NSA Web site? Barrie Dempster (Dec 28)