How I got Hall of Fame in NASA 😍
Hi, Ajak Amico’s welcome back to another blog . Today In this blog, I will show how I got Hall of Fame from NASA by hacking their one for their subdomains. So Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.
Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram: AjakCybersecurity
Bug Description:
Title: URL Misconfiguration Leads to Internal Source Code Disclosure
Severity: P4
Bug Type: Information disclosure
Affected domain: subdomain.nasa.gov
Impact: Internal Source code disclosure leads to gain additional information to bypass one of the NASA admin pages.
Recon:
Before spitting the recon, and Steps to reproduce, I hunted for 31 days in NASA and found 8 bugs, in which one got triaged. so there are many recon parts I did for NASA, which I will share in my next blog, as of now I will say how I used my recon to find this bug.
Google dorks:
intext:register site:*nasa.gov
so this was the dork used here, my aim was to hunt for XSS so I visited each and every subdomain slowly, and found one ODD subdomain, which I hadn’t encountered in my 31 days of hunting. So it had an admin page, and upon clicking on each URL, I found a parameter named https://subdomain.nasa.gov/docs/site/showdoc?mnemonic=NEWS_LETTER upon disturbing the URL by giving, ‘ single colon’ I got the following error.
I Checked for SQLI but it was not exploitable, but my instinct said that I could something get from this subdomain.So started to visit each and every link that was posted on the site manually, yes you are right, to find this bug I just did a manual fuzzing, and to my surprise just upon visiting a URL, I found a link where the whole page leaked internal pearl code.
So this is just one part of the code, like I scrolled the whole page and found the whole pearl code leaked some details regards with admin login, I didn’t have much faith in reporting it, since I assumed it would be just a stack trace error and triage team would close this as Informational and as assumed some game was played between me and the triage team💀.
They marked me this as out-of-scope when I submitted this flaw. since I was already a bit sad since all my reported bugs in NASA got duplicate and N/A, I didn’t care about this much.
but the next day I received this message
“Customer sent a private message to Bugcrowd Staff”
I got bit confused and noted that my reported subdomain was in scope, so I immediately sent a response to the request by stating my URL was in scope.
To my surprise, the next day they re-opened the report and marked the report to ‘Triaged’ and I couldn’t explain the joy I had at that moment.🥹
Once the bug was resolved, within a week, I got an appreciation letter from NASA.❤️
Steps to Reproduce:
- Visit the affected subdomain
- Click each and every URL manually
- Upon clicking the Vulnerable URL whole internal Perl source code is leaked.
PS: 100 claps for this blog, I will share Tips and Tricks to get HOF from NASA in my next writeup.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️
“கற்றவை பற்றவை🔥”
Learn Everyday, Happy Hacking 😁🙌
https://www.buymeacoffee.com/Ajak
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Follow our Youtube Channel: @ajakcybersecurity
Follow on Instagram: @ajakcybersecurity