How I secured the United Nations Hall of Fame

Getting Started : Recon

Began with the routine by listing the Subdomains using Subfinder tool

Target domain: unep.org

which was listed around 92 subdomains….

Now, let’s check out one of the domain by exploring its subdomains.

Randomly, I found a domain apps.unep.org which shows the endpoint as /test/server.php

At the time I didn’t have much idea about this endpoint. At last I came up with a tool called Nuclei

The Nuclei Advantage

Nuclei, an open-source tool, played a pivotal role in streamlining my vulnerability discovery process. Its extensible nature and comprehensive template library allowed me to perform detailed scans, helping uncover hidden vulnerabilities that might have eluded other tools. In this case, it proved invaluable in pinpointing the XSS vulnerability within the UN’s web infrastructure.

Discovery of XSS Vulnerability (CVE-2020–14413)

During the scanning with the tool Nuclei, Nuclei flagged a potential vulnerability — an XSS flaw in the UN’s web application, identified as CVE-2020–14413. XSS, or Cross-Site Scripting, is a critical security issue that allows attackers to inject malicious scripts into web pages viewed by other users.

URL: https://apps.unep.org/unepmediacentre/vendor/kriswallsmith/buzz/test/server.php

With XSS-URL: https://apps.unep.org/unepmediacentre/vendor/kriswallsmith/buzz/test/server.php/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E

Responsible Disclosure

With the vulnerability identified, my next step was clear — responsible disclosure. Understanding the sensitivity and global impact of the United Nations, I ensured that my findings were communicated to their security team promptly and securely. This involved providing a detailed report outlining the nature of the XSS vulnerability, its potential impact and suggested mitigation strategies.

Recognition in the Hall of Fame

After the vulnerability was successfully patched, the United Nations acknowledged my contribution by including me in their Hall of Fame. It was a moment of immense pride and satisfaction to see my name alongside other cybersecurity enthusiasts who had made significant contributions to securing the organization.

Reported: 25th December 2023

Fixed: 1st January 2024

Acknowledged: 23th January 2024

Hall Of Fame: Hall of Fame | Office of Information and Communications Technology

Let’s meet again in other article

Bye !