National Security Agency (NSA) SSL web page XSSed

Written by DP

Wednesday, 23 June 2010

Security researcher "Zeitjak", has notified us that the website is vulnerable to a new critical cross-site scripting vulnerability.

Malicious people can exploit the XSS by launching a client-side attack against NSA's computers or browsers, with the purpose of obtaining classified information. With the NSA providing security services to the government, military and large enterprises; botnet herders would be so proud to own NSA zombies!

What triggers the flaw, seems to be an unfiltered parameter (languageCd=) on Oracle's PeopleSoft Enterprise version 8. What is strange is that, although a search on Google revealed more than 2000 high-profile websites using this web CRM/HRMS application, and more than 200 using version 8, we could not reproduce the XSS on a few. 

Google Dorks:
intitle:PeopleSoft Enterprise 8 Sign-in inurl:cmd=login
inurl:psp inurl:cmd=login

NSA has been XSSed, hacked and defaced in the past:

Time Notifier H M R Domain OS View
2009/10/05 SQL_Master Win 2003 mirror

 Source: Digital Attacks/Web Defacement Archive



Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.