RE: FN-FORUM: Hacking the NSA's website

date posted 3rd August 2005 19:39

[EMAIL REMOVED] wrote:
>=20
> http://www.nsa.gov/notices/notic00003.cfm?Address=3D%22%3E%3Cscr
>
ipt%3Ealert(%22Dread%20was%20here%20and%20the%20NSA%20have%20shit%20secur=
ity
%22)%3C/script%3E
>=20
> Ive not done anything else that play around with the alert() message,
> so ive no idea how far this could be taken, and im not too keen on
> appearing on the NSA's server log's as someone trying to break things,
> but surely its only a matter of time. I'm beginning to think its what
> they deserve if they dont fix it even when they are notified of it. Im
> sure some 14 year old kid wants his 15 minutes of fame on the local
> news for hacking the NSA's website. =20

The issue is that the javascript runs in the context of the site's page. =
It
potentially allow a malicious hacker to get secure information, either =
off a
page or for example out of a cookie set by the NSA website. If they =
ever
store secure information in cookies or use session based security that
stores the session id in a cookie then it is a definite vulnerability.