FirstBlood-#610 — Stored XSS through the file upload and unsanitized User-Agent
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, holybugx reported:
Stored XSS is possible on the Vaccination Management portal on the
User-Agentfield. When users upload their vaccination proof, their User-Agent is also logged directly without sanitization into the Management portal, which results in the following vulnerability.
Steps To Reproduce
- Use the
/vaccination-manager/pub/upload-vaccination-proof.phpAPI endpoint to upload your vaccine proof:
- Intercept the request and tamper with the
User-Agentbefore sending the final HTTP request.
- The XSS executes after the Vaccination Management's admin login:
As the cookies are signed as
httpOnly, this is not possible to steal the cookies to take over the admin's account. However, with an XSS an attacker can perform unauthenticated actions on behalf of the victim i.e. Cross-Site Request Forgery.
Here is how the page source code looks after the XSS injection:
To fix this issue, it is needed to properly validate and sanitize the user's User-Agent.
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.