NASA NODIS Cross Site Scripting

The NASA Online Directives Information System suffers from a cross site scripting vulnerability that can be leveraged via the User-Agent header. The researcher has notified NASA and has not received a response.

MD5 | 09668c9e1fd08a529b49b8e41a40a423

Cross-site Scripting (XSS) Vulnerability in NASA through User Agent - Binit Ghimire

As of October 19, 2019, there exists a Reflected Cross-site Scripting (XSS) vulnerability in a sub-domain of the official NASA website as a result of the User Agent HTTP request header getting displayed in the webpage. The vulnerability was discovered on October 11, 2019 and a video was uploaded to YouTube regarding the reproduction of the vulnerability.

Vulnerable URLs:

Proof-of-Concept (PoC) Video:

How to Reproduce?
Step 1: Visit
Here, you will be able to see that it displays your User-Agent in the form of "Your browser is {User-Agent}". In my case, it displays "Your browser is Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0".

Step 2: Then, open your browser's Developer Tools, and add a custom User Agent string containing the following XSS payload:

You can also modify the value of User Agent by intercepting the GET request sent to the server while visiting and then forwarding the request.

I have explained about this in the Proof-of-Concept (PoC) video along with this vulnerability report.

Step 3: Now, visit the webpage with the modified User Agent value, and you will be able to see the XSS payload in the User Agent getting executed.

Author Details:
Name: Binit Ghimire
Twitter: @WHOISbinit (
Facebook Page:
Facebook Profile:

Related Posts