FirstBlood-#610Stored XSS through the file upload and unsanitized User-Agent
This issue was discovered on FirstBlood v2



On 2021-10-26, holybugx Level 5 reported:

Description

Hello Sean,

Stored XSS is possible on the Vaccination Management portal on the User-Agent field. When users upload their vaccination proof, their User-Agent is also logged directly without sanitization into the Management portal, which results in the following vulnerability.

Steps To Reproduce

  1. Use the /vaccination-manager/pub/upload-vaccination-proof.php API endpoint to upload your vaccine proof:

  1. Intercept the request and tamper with the User-Agent before sending the final HTTP request.

  1. The XSS executes after the Vaccination Management's admin login:

Impact

As the cookies are signed as httpOnly, this is not possible to steal the cookies to take over the admin's account. However, with an XSS an attacker can perform unauthenticated actions on behalf of the victim i.e. Cross-Site Request Forgery.

Remediation

Here is how the page source code looks after the XSS injection:

To fix this issue, it is needed to properly validate and sanitize the user's User-Agent.

Kind Regards,

HolyBugx

P2 High

Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php

Parameter: user-agent

Payload: "><svg/onload=alert(document.domain)


FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.