I found this vulnerability while poking around the subdomains of ASUS wayback 2018. Such subdomain was still relatively new that time which means that potentially juicy security issues are still an easy catch. If I can remember correctly, this security issue was found when I was on a ‘pisonet’ together with my friends and playing DOTA 2. 🤣
ASUS Healthcare is a health data management platform wherein end users can keep track of his or her self, family, and friend’s health data using the wearable or IoT device they use in place. Unfortunately, as of this time (2021), the web application was discontinued.
Steps to Replicate
- Login and navigate towards your account’s dashboard section.
- On the Blood Sugar Measurement panel, click on ‘+’ to add a new data.
- Supply all the necessary information, but on the Medicine Before Measurement checkbox, it should be checked to enable the input field and thus the entry of the infamous
"><img src=x onerror=prompt(1)>payload.
- Then, click on the +Add button.
- Navigate to the profile that payload is in and notice an alert box popped.
“Injection of scripts was possible.” -ASUS
Proof of Concept
February 18, 2018 :: Report Submitted
February 21, 2018 :: Triaged
March 08, 2018 :: Security issue fixed
March 15, 2018 :: Entered ASUS Hall-of-Fame 🏆