A months-old cross-site scripting (XSS) vulnerability affecting the website for the Pentagon was brought to light again this week when a researcher posted two attack scenarios.
The researcher, using the alias "Ne0h," found the vulnerability on the Pentagon's "Tours" page and posted two proof-of-concept scripts.
None of the exploits, however, could lead to any sensitive Pentagon data being compromised because the site is only used to provide information on visiting the headquarters of the U.S. Department of Defense, according to a post on Praetorian Prefect, a security blog. However, a successful attack could harm users visiting the site.
"If not patched, the Pentagon website may be used as part of other web-based attacks via redirection using URLs sent to a user that appear to be from the Pentagon website," he said. "This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications. A high-profile site such as that of the Pentagon should close it out."
A Department of Defense spokesperson did not respond to a request for comment.
In addition, Mike Bailey, a senior security researcher at Foreground Security, which provides penetration testing services and security auditing, said the bug could have wider impacts due to the contradictory way that cookies and the domain name system (DNS) act. A vulnerability on one website sub domain can be used to attack the main production domain - in this case, osd.mil - or another sub domain, which may contain more confidential information than the Pentagon site does.
"There's not really anything to exploit on that domain, unless you want to force someone to book a tour at the Pentagon," Bailey told SCMagazineUS.com on Tuesday. "It's not until you look at how this may affect other osd.mil websites that things get interesting. As small and trivial and common as this vulnerability is, it really can have a far-reaching effect."
He said the osd.mil domain contains thousands of sub domains. XSS attacks generally are not used to infect users with malware but to expose sensitive data for hackers to steal.
"It's to make the user attack the server for you and take information for [the attacker]," Bailey said. "It exploits whatever trust the server may have in your browser."
Bailey provided detailed thoughts in a blog post on Tuesday.
A version of this article first appeared on www.scmagazineus.com