FirstBlood-#610 — Stored XSS through the file upload and unsanitized User-Agent
This issue was discovered on FirstBlood v2
On 2021-10-26, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hello Sean,
Stored XSS is possible on the Vaccination Management portal on the User-Agent field. When users upload their vaccination proof, their User-Agent is also logged directly without sanitization into the Management portal, which results in the following vulnerability.
Steps To Reproduce
- Use the
/vaccination-manager/pub/upload-vaccination-proof.php API endpoint to upload your vaccine proof:
- Intercept the request and tamper with the
User-Agent before sending the final HTTP request.
- The XSS executes after the Vaccination Management's admin login:
Impact
As the cookies are signed as httpOnly, this is not possible to steal the cookies to take over the admin's account. However, with an XSS an attacker can perform unauthenticated actions on behalf of the victim i.e. Cross-Site Request Forgery.
Remediation
Here is how the page source code looks after the XSS injection:
To fix this issue, it is needed to properly validate and sanitize the user's User-Agent.
Kind Regards,
HolyBugx
P2 High
Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php
Parameter: user-agent
Payload: "><svg/onload=alert(document.domain)
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.