Researcher demonstrates Pentagon XSS vulnerability

A months-old cross-site scripting (XSS) vulnerability affecting the website for the Pentagon was brought to light again this week when a researcher posted two attack scenarios.

The researcher, using the alias "Ne0h", found the vulnerability on the Pentagon's Tours' page and posted two proof-of-concept scripts.

None of the exploits, however, could lead to any sensitive Pentagon data being compromised because the site is only used to provide information on visiting the headquarters of the US Department of Defense, according to a post on security blog Praetorian Prefect. However, a successful attack could harm users visiting the site.

Users could fall victim to other IFRAME or JavaScript injection, according to the blog. The vulnerability, related to weak validation on the site's photo album application, dates back to last spring when it was posted to XSS.com, a vulnerability clearinghouse.

"If not patched, the Pentagon website may be used as part of other web-based attacks via redirection using URLs sent to a user that appear to be from the Pentagon website," he said. "This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications. A high-profile site such as that of the Pentagon should close it out."

A Department of Defense spokesperson did not respond to a request for comment. 

In addition, Mike Bailey, a senior security researcher at Foreground Security, which provides penetration testing services and security auditing, said the bug could have wider impacts due to the contradictory way that cookies and the domain name system (DNS) act. A vulnerability on one website subdomain can be used to attack the main production domain -- in this case, osd.mil -- or another subdomain, which may contain more confidential information than the Pentagon site does.

"There's not really anything to exploit on that domain, unless you want to force someone to book a tour at the Pentagon," Bailey told SCMagazineUS.com. "It's not until you look at how this may affect other osd.mil websites that things get interesting. As small and trivial and common as this vulnerability is, it really can have a far-reaching effect."He said the osd.mil domain contains thousands of subdomains. XSS attacks generally are not used to infect users with malware but to expose sensitive data for hackers to steal.

"It's to make the user attack the server for you and take information for [the attacker]," Bailey said. "It exploits whatever trust the server may have in your browser."

See original article on scmagazineus.com