> For the complete documentation index, see [llms.txt](https://everythingblackkk.gitbook.io/everythingblackkk/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://everythingblackkk.gitbook.io/everythingblackkk/web-security/how-i-found-a-security-vulnerability-in-nasa.md). # How I found a security vulnerability in NASA

Hey Everyone , Here’s another example of a vulnerability I found in **NASA**. This is actually my **third bug** with them, and honestly, it was a pretty fun one that also gave me a nice takeaway. I started off by pulling subdomains using **Amass**. The tool gave me over **30,000 subdomains**. ```sh amass enum -d nasa.gov -o nasa_domains.txt ``` I used **HTTPX** to filter out the active ones. ```sh httpx -l nasa_domains.txt -status-code -mc 200 -silent -o live.txt ``` To make it easier, I split the results into chunks of **5,000 each** like this: ```sh split -l 100 -d --additional-suffix=.txt nasa_domains.txt sub_ ``` ### Step 2 — AI Filtering Here’s where AI really helped. There’s a cool tool that lets you run LLMs directly in your terminal using your **Gemini** or **OpenAI API key**.

So I asked the AI to analyze my subdomains and tell me which ones looked interesting, like internal dashboards, DevOps tools, staging environments, etc. Example command: ``` cat subdomains.txt | llm -m gemini/gemini-2.5-pro "I have a list of subdomains from a target. Please analyze it and identify any subdomains that might be related to internal infrastructure, DevOps tools, staging environments, dashboards, or admin panels. Look for signs of tools like Jenkins, GitLab, Grafana, Kibana, SonarQube, Prometheus, ArgoCD, Harbor, Portainer, etc." ``` The AI did a great job , it pointed out the subdomains most likely to hold sensitive stuff, saving me tons of time.\ Usually, these are the ones that have misconfigurations, info leaks, or outdated CVEs. ### **Step 3 — Digging Deeper** From the filtered results, one of the subdomains I got was: [`https://mcl-labcas.jpl.nasa.gov/labcas-ui/m/index.html`](https://mcl-labcas.jpl.nasa.gov/labcas-ui/m/index.html) As always, my first move is checking **JavaScript files**, because they often reveal hidden endpoints or secrets that people overlook. I used a little snippet to pull out endpoints from JS files: ```javascript javascript:(function() { var scripts = document.getElementsByTagName("script"), regex = /(?<=("|'|%27|`))\/[a-zA-Z0-9_?&=\/\-.\\]*?(?=("|'|%60))/g, results = new Set(); for (var i = 0; i < scripts.length; i++) { var t = scripts[i].src ? fetch(scripts[i].src).then(t => t.text()).then(t => { var e = t.matchAll(regex); for (let r of e) results.add(r[0]); }).catch(function(t) { console.log("An error occurred: ", t); }) : null; } var pageContent = document.documentElement.outerHTML, matches = pageContent.matchAll(regex); for (const match of matches) results.add(match[0]); function writeResults() { results.forEach(function(t) { document.write(t + "
"); }); } setTimeout(writeResults, 3e3); })(); ``` But honestly, I prefer **manual analysis**, so I opened the JS files myself. ### Step 4 — The Discovery I noticed the developers were saving **way too much stuff in Local Storage**, which is usually a bad idea. So I checked it out, and boom — there it was. I found a hidden endpoint: {% embed url="" %}

Visiting that link gave me access to **over 1,300 user records** from the platform.

Note: This site isn’t public. Regular users can’t even create accounts there, which makes the exposure more critical. ### Final Result I reported the issue, and it was **accepted as a P3**. And I Got Letters of Recognition (LOR) Criteria

### And I Got Letters of Recognition (LOR) Criteria

### Thank you all! I hope you enjoyed the article. If you have any questions, I’m here to help. Remember My name : everythingBlackkk Made by ❤ Github : Linkedin : [www.linkedin.com/in/everythingblackkk](http://www.linkedin.com/in/everythingblackkk) X : Youtube : --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://everythingblackkk.gitbook.io/everythingblackkk/web-security/how-i-found-a-security-vulnerability-in-nasa.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.