How I found a security vulnerability in NASA

Hey Everyone ,

Here’s another example of a vulnerability I found in NASA. This is actually my third bug with them, and honestly, it was a pretty fun one that also gave me a nice takeaway.

I started off by pulling subdomains using Amass. The tool gave me over 30,000 subdomains.

amass enum -d nasa.gov -o nasa_domains.txt

I used HTTPX to filter out the active ones.

httpx -l nasa_domains.txt -status-code -mc 200 -silent -o live.txt

To make it easier, I split the results into chunks of 5,000 each like this:

split -l 100 -d --additional-suffix=.txt nasa_domains.txt sub_

Step 2 — AI Filtering

Here’s where AI really helped. There’s a cool tool that lets you run LLMs directly in your terminal using your Gemini or OpenAI API key.

So I asked the AI to analyze my subdomains and tell me which ones looked interesting, like internal dashboards, DevOps tools, staging environments, etc.

Example command:

cat subdomains.txt | llm -m gemini/gemini-2.5-pro "I have a list of subdomains from a target.
 Please analyze it and identify any subdomains that might be related to internal infrastructure,
 DevOps tools, staging environments, dashboards, or admin panels.
 Look for signs of tools like Jenkins, GitLab, Grafana, Kibana, SonarQube, Prometheus, ArgoCD, Harbor, Portainer, etc."

The AI did a great job , it pointed out the subdomains most likely to hold sensitive stuff, saving me tons of time. Usually, these are the ones that have misconfigurations, info leaks, or outdated CVEs.

Step 3 — Digging Deeper

From the filtered results, one of the subdomains I got was:

https://mcl-labcas.jpl.nasa.gov/labcas-ui/m/index.html

As always, my first move is checking JavaScript files, because they often reveal hidden endpoints or secrets that people overlook.

I used a little snippet to pull out endpoints from JS files:


javascript:(function() {
    var scripts = document.getElementsByTagName("script"),
        regex = /(?<=("|'|%27|`))\/[a-zA-Z0-9_?&=\/\-.\\]*?(?=("|'|%60))/g,
        results = new Set();

    for (var i = 0; i < scripts.length; i++) {
        var t = scripts[i].src ? fetch(scripts[i].src).then(t => t.text()).then(t => {
            var e = t.matchAll(regex);
            for (let r of e) results.add(r[0]);
        }).catch(function(t) {
            console.log("An error occurred: ", t);
        }) : null;
    }

    var pageContent = document.documentElement.outerHTML,
        matches = pageContent.matchAll(regex);

    for (const match of matches) results.add(match[0]);

    function writeResults() {
        results.forEach(function(t) {
            document.write(t + "<br>");
        });
    }

    setTimeout(writeResults, 3e3);
})();