How I Chained a Simple Text Injection with OAuth Misconfiguration on NASA
Hello everyone, I’m insomniaX, also known as Salman Rahman Chowdhury.
In this blog, I’ll describe how I discovered a text injection vulnerability on NASA’s platform and chained it with an OAuth misconfiguration. This combination elevated the bug’s severity from Not Applicable to a valid vulnerability. Here’s the full write-up detailing the process and impact.
Discovery and Initial Observations
To demonstrate the issue, I’ll use two alias domains: redacted.nasa.gov and redacted-research.nasa.gov.
During my testing, I discovered an interesting domain, redacted.nasa.gov. Upon visiting it, I was presented with a login panel featuring both sign-in and sign-up options.
I created an account, logged in, and began navigating through the application’s features. It quickly became apparent that the application lacked input validation. I was able to input arbitrary text in the username field, and it was reflected back in the UI. At first, this didn’t seem like a critical issue, as it had no immediate impact. Most bug bounty platforms would classify it as Not Applicable.
Expanding the Scope
After exploring for some time without finding further vulnerabilities on redacted.nasa.gov, I expanded my recon to other NASA subdomains. That’s when I came across another domain in my output: redacted-research.nasa.gov, which appeared to be nearly identical to the first.
Upon visiting this new domain, I was greeted with a welcome message:
Welcome user insomniaX
The only visible feature on the page was a logout button.
This behavior clearly indicated that redacted-research.nasa.gov was using OAuth-based authentication from redacted.nasa.gov.
Identifying the OAuth Misconfiguration
I checked my Burp Suite history to analyze the OAuth requests and found that the OAuth flow did not include a state parameter.
In the OAuth authentication mechanism, the state parameter acts as a CSRF token. It ensures that the /callback request originates from the same user who initiated the OAuth flow. The absence of this parameter makes it possible for an attacker to carry out CSRF attacks on the OAuth login process.
Exploiting the Chain
In this case, redacted-research.nasa.gov used OAuth for authentication without a state parameter and fetched user data from redacted.nasa.gov. This allowed an attacker to create a forced login flow on redacted-research.nasa.gov by tricking a victim into clicking a malicious link, such as:
https://redacted-research.nasa.gov/login?code=xyz
If the victim clicked the link, they would unknowingly complete the OAuth flow and be logged into the attacker’s account on redacted-research.nasa.gov.
At first, this might seem harmless — after all, logging a victim into your own account doesn’t sound like a serious issue. But then I remembered the text injection vulnerability on redacted.nasa.gov, where arbitrary usernames were accepted and later reflected on redacted-research.nasa.gov.
This opened up an attack chain.
Crafting a Phishing Scenario
An attacker could register an account with a username like:
Login Failed. Please login at malicious-research.nasa.gov/login.
After the OAuth login (which the victim completes unknowingly), this crafted message would be reflected on redacted-research.nasa.gov, creating a highly convincing phishing vector.
In such a scenario, the attacker could host a fake login page at malicious-research.nasa.gov/login that mimics the real interface. The victim, believing they're not logged in (due to the message), might input their credentials — thereby exposing their research account login information.
Responsible Disclosure and Acknowledgment
I promptly reported the vulnerability through Bugcrowd. After review, the report was accepted and acknowledged by the Bugcrowd team.
Following my responsible disclosure, NASA’s security team remediated the issues by:
- Implementing proper input validation on
redacted.nasa.gov - Adding the missing
stateparameter in the OAuth flow onredacted-research.nasa.gov
As a token of appreciation, I was honored to receive a Letter of Recognition from NASA.
As of now, the vulnerability has been fully patched and no longer exists.
Final Thoughts
This finding highlights how low-impact vulnerabilities like text injection chaining with OAuth misconfigurations can result in a high-impact attack. Always take the time to think creatively and test interactions between features — you might uncover something bigger than it first appears.
Thanks for reading!
