How I secured the United Nations Hall of Fame
Greetings, fellow cybersecurity enthusiasts! My name is Kamil Rahuman, Today, I’m thrilled to share my exhilarating journey of securing the United Nations Hall of Fame by uncovering a critical XSS vulnerability.
My journey began with a mission to contribute positively to the cybersecurity community. Little did I know that my efforts would lead me to the heart of one of the most prestigious organizations globally, the United Nations.
Getting Started : Recon
Began with the routine by listing the Subdomains using Subfinder tool
Target domain: unep.org
subfinder -d unep.org > unep.txtwhich was listed around 92 subdomains….
Now, let’s check out one of the domain by exploring its subdomains.
Randomly, I found a domain apps.unep.org which shows the endpoint as /test/server.php
At the time I didn’t have much idea about this endpoint. At last I came up with a tool called Nuclei
The Nuclei Advantage
Nuclei, an open-source tool, played a pivotal role in streamlining my vulnerability discovery process. Its extensible nature and comprehensive template library allowed me to perform detailed scans, helping uncover hidden vulnerabilities that might have eluded other tools. In this case, it proved invaluable in pinpointing the XSS vulnerability within the UN’s web infrastructure.
Discovery of XSS Vulnerability (CVE-2020–14413)
During the scanning with the tool Nuclei, Nuclei flagged a potential vulnerability — an XSS flaw in the UN’s web application, identified as CVE-2020–14413. XSS, or Cross-Site Scripting, is a critical security issue that allows attackers to inject malicious scripts into web pages viewed by other users.
URL: https://apps.unep.org/unepmediacentre/vendor/kriswallsmith/buzz/test/server.php
Responsible Disclosure
With the vulnerability identified, my next step was clear — responsible disclosure. Understanding the sensitivity and global impact of the United Nations, I ensured that my findings were communicated to their security team promptly and securely. This involved providing a detailed report outlining the nature of the XSS vulnerability, its potential impact and suggested mitigation strategies.
Recognition in the Hall of Fame
After the vulnerability was successfully patched, the United Nations acknowledged my contribution by including me in their Hall of Fame. It was a moment of immense pride and satisfaction to see my name alongside other cybersecurity enthusiasts who had made significant contributions to securing the organization.
Reported: 25th December 2023
Fixed: 1st January 2024
Acknowledged: 23th January 2024
Hall Of Fame: Hall of Fame | Office of Information and Communications Technology
Let’s meet again in other article
Bye !
