Researcher demonstrates Pentagon XSS vulnerability
Updated on Tuesday, Dec. 8 at 5:31 p.m. EST
The researcher, using the alias "Ne0h," found the vulnerability on the Pentagon's "Tours" page and posted two proof-of-concept scripts.
None of the exploits, however, could lead to any sensitive Pentagon data being compromised because the site only is used to provide information on visiting the headquarters of the U.S. Department of Defense, according to a post on Praetorian Prefect, a security blog. However, a successful attack could harm users visiting the site.
"If not patched, the Pentagon website may be used as part of other web-based attacks via redirection using URLs sent to a user that appear to be from the Pentagon website," he said. "This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications. A high-profile site such as that of the Pentagon should close it out."
Mike Bailey, a senior security researcher at Foreground Security, which provides penetration testing services and security auditing, said the bug could have wider impacts due to the contradictory way that cookies and the domain name system (DNS) act. A vulnerability on one website subdomain can be used to attack the main production domain -- in this case, osd.mil -- or another subdomain, which may contain more confidential information than the Pentagon site does.
"There's not really anything to exploit on that domain, unless you want to force someone to book a tour at the Pentagon," Bailey told SCMagazineUS.com on Tuesday. "It's not until you look at how this may affect other osd.mil websites that things get interesting. As small and trivial and common as this vulnerability is, it really can have a far-reaching effect."
He said the osd.mil domain contains thousands of subdomains. XSS attacks generally are not used to infect users with malware but to expose sensitive data for hackers to steal.
"It's to make the user attack the server for you and take information for [the attacker]," Bailey said. "It exploits whatever trust the server may have in your browser."
Military spokesman Lt. Col. Eric Butterbaugh told SCMagazineUS.com Wednesday in an email that the agency doesn't comment on cyberincidents for security reasons. However, he said attempted attacks against department networks are sharply increasing.
"[They] are probed thousands of times a day and scanned millions of times a day," he said. "We take all threats seriously and aggressively monitor our networks for intrusions and have appropriate procedures to address these threats."
Bailey provided detailed thoughts in a blog post Tuesday.