FirstBlood-#762 — XSS in vaccine portal
This issue was discovered on FirstBlood v2
On 2021-10-28, twsec Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi, after logging into the vaccination manager and entering the portal, we find the uploaded vaccination proofs,
poking around we don't see many useful stuff to test but i give a try and the useragent for xss
and it fires,
but unfortunately the cookie is http only thus we can't take the cookie but never the less it's a stored XSS and the attacker can do different things with javascript.
and this is the payload , nothing fancy just the old <script>alert(1)
P2 High
Endpoint: useragent
Parameter: useragent
Payload: "><script>alert(1)</script>
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.