Reflected XSS on the Pentagon subdomain (and what it led to)

Hackers from the Tunisian Cyber ​​Army and Al Qaida Electronic Army reflected XSS on the Pentagon’s subdomain, namely the National Guard’s subdomain: g1arng.army.pentagon.mil/Pages/Default.ASPX .

With its help, they were able to steal the site administrator’s cookies and gain access to its mail and several critical files. This hacking was carried out with the assistance of Chinese hackers during the operation #opBlackSummer.
')




It is not the first time when the Pentagon sites suffer from hackers, but nevertheless, the reaction of the Pentagon administrators is still rather sluggish: yesterday Sabari Selvan sent them the details of the vulnerability, but it is still there.

Also, according to unverified data, in the framework of the same #opBlackSummer operation, the US State Department - state.gov - was compromised using sql injection.

At the time of publication of the post XSS is still present.

Suddenly, someone missed - a landmark article on XSS on the browser:
http://habrahabr.ru/post/149152/