Several vulnerabilities have been found in the National Security Agency (NSA) website.
Although now reported and fixed, a report found that there were cross-site scripting (XSS) vulnerabilities on the main NSA forward facing web server. The report claimed that two vulnerabilities were found in "shoddily outsourced third party software written in ColdFusion", which Rustle Research researcher Horace Grant said could be used to impersonate NSA personnel and web traffic.
He said: “Why are unreliable third parties creating the software that guards our national secrets?"
One of the NSA vulnerabilities that was exploited by ethical white hat hackers exists in the ‘Careers' section of the NSA website. It said that internet users who enter data into the ‘Feedback' fields were treated to a visual representation of their data reflected back at them.
The other bug is an XSS attack that allows URL redirection. The report said that when the ‘Mail to a Friend' notice is queried, and nsa.gov is appended at the end of the address, it is then exempted and allowed to redirect to the provided address.
The holes were reported and have since been patched.
According to research by FireHost from late 2012, XSS was the most common attack type in Q3 of 2012, with more than one million XSS attacks blocked during that period.
