FirstBlood-#864[COLLAB] Stored/Blind XSS / DOS via vaccination portal
This issue was discovered on FirstBlood v2

On 2021-10-29, amec0e Level 3 reported:

Hey mate,

I noticed when we view the vaccination-manager/portal.php endpoint we can see that our User-Agent: is reflected on the page, because there is no filtering in place, a user can upload a vaccination proof image and edit their User-Agent: with a HTML payload which will then fire on the backend to our Ngrok server. Luckily the HttpOnly flag is set for the cookie vaccination_manager and so this token cannot be leaked to our Ngrok address. However, if a doctor has signed in and has not logged out then a attacker can indeed leak the doctorAuthed and drps cookies along with the request due to the lack of a HttpOnly flag set.

It is also possible to cause a Denial of Service to the portal.php endpoint using the payload below as this WILL redirect the admin user to our ngrok address rendering the portal.php endpoint unusable until the injected entry is removed.



We can execute our own HTML because no filters are in place to check that the User-Agent: is properly sanitised when reflected on the portal.php page. We can leak the cookies drps and dcotorAuth which would lead to an account takeover of a doctors account if not signed out when viewing the portal.php. This also leads to a DOS of the portal.php page due to a script redirection.

Steps to Reproduce:

  • Visit the endpoint /vaccination-manager/pub/upload-vaccination-proof.php
  • Enter a random email and select a normal image file.
  • Open burpsuite and make sure "Intercept is on"
  • Click "Upload" and View the Intercepted request.
  • Add the following payload along with your Ngrok address in the User-Agent: Header.
<img src=http://NGROKADDRESS>


for DOS of portal.php use the payload below:


  • Now "Forward" all requests.
  • Visit the endpoint /vaccination-manager/login.php and Login with valid Credentials

You will now be able to see a hit back to our ngrok address OR if you used the DOS payload you will be redirected to your ngrok address rendering the page unusable by the admin.

DOS Will redirect us to the ngrok default apache page.


Properly sanitise the User-Agent: from HTML tags

Best Regards,


In Collaboration With thebinarybot

P2 High



FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.