I found this vulnerability while poking around the subdomains of ASUS wayback 2018. Such subdomain was still relatively new that time which means that potentially juicy security issues are still an easy catch. If I can remember correctly, this security issue was found when I was on a ‘pisonet’ together with my friends and playing DOTA 2. 🤣

Description

ASUS Healthcare is a health data management platform wherein end users can keep track of his or her self, family, and friend’s health data using the wearable or IoT device they use in place. Unfortunately, as of this time (2021), the web application was discontinued.

Stored XSS was possible in this platform since there was no sanitization functions or filters in place when data is entered and fed towards the end user’s health statistics. Doing so, an attacker can simply just enter a javascript payload.

Steps to Replicate

1. Login and navigate towards your account’s dashboard section.
2. On the Blood Sugar Measurement panel, click on ‘+’ to add a new data.
3. Supply all the necessary information, but on the Medicine Before Measurement checkbox, it should be checked to enable the input field and thus the entry of the infamous "><img src=x onerror=prompt(1)> payload.
4. Then, click on the +Add button.
5. Navigate to the profile that payload is in and notice an alert box popped.

Impact

“Injection of scripts was possible.” -ASUS

Proof of Concept

Timeline

February 18, 2018 :: Report Submitted

February 21, 2018 :: Triaged

March 08, 2018 :: Security issue fixed

March 15, 2018 :: Entered ASUS Hall-of-Fame 🏆