Researcher demonstrates Pentagon XSS vulnerability

Share this article:

Updated on Tuesday, Dec. 8 at 5:31 p.m. EST

A months-old cross-site scripting (XSS) vulnerability affecting the website for the Pentagon was brought to light again this week when a researcher posted two attack scenarios.

The researcher, using the alias "Ne0h," found the vulnerability on the Pentagon's "Tours" page and posted two proof-of-concept scripts.

None of the exploits, however, could lead to any sensitive Pentagon data being compromised because the site only is used to provide information on visiting the headquarters of the U.S. Department of Defense, according to a post on Praetorian Prefect, a security blog. However, a successful attack could harm users visiting the site.

Users could fall victim to other IFRAME or JavaScript injection, according to the blog. The vulnerability, related to weak validation on the site's photo album application, dates back to last spring when it was posted to, a vulnerability clearinghouse.

"If not patched, the Pentagon website may be used as part of other web-based attacks via redirection using URLs sent to a user that appear to be from the Pentagon website," he said. "This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications. A high-profile site such as that of the Pentagon should close it out."

Mike Bailey, a senior security researcher at Foreground Security, which provides penetration testing services and security auditing, said the bug could have wider impacts due to the contradictory way that cookies and the domain name system (DNS) act. A vulnerability on one website subdomain can be used to attack the main production domain -- in this case, -- or another subdomain, which may contain more confidential information than the Pentagon site does.

"There's not really anything to exploit on that domain, unless you want to force someone to book a tour at the Pentagon," Bailey told on Tuesday. "It's not until you look at how this may affect other websites that things get interesting. As small and trivial and common as this vulnerability is, it really can have a far-reaching effect."

He said the domain contains thousands of subdomains. XSS attacks generally are not used to infect users with malware but to expose sensitive data for hackers to steal.

"It's to make the user attack the server for you and take information for [the attacker]," Bailey said. "It exploits whatever trust the server may have in your browser."

Military spokesman Lt. Col. Eric Butterbaugh told Wednesday in an email that the agency doesn't comment on cyberincidents for security reasons. However, he said attempted attacks against department networks are sharply increasing.

"[They] are probed thousands of times a day and scanned millions of times a day," he said. "We take all threats seriously and aggressively monitor our networks for intrusions and have appropriate procedures to address these threats."

Bailey provided detailed thoughts in a blog post Tuesday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.