How I secured the United Nations Hall of Fame

Kamil Rahuman
3 min readFeb 2, 2024
UNITED NATIONS

Greetings, fellow cybersecurity enthusiasts! My name is Kamil Rahuman, Today, I’m thrilled to share my exhilarating journey of securing the United Nations Hall of Fame by uncovering a critical XSS vulnerability.

My journey began with a mission to contribute positively to the cybersecurity community. Little did I know that my efforts would lead me to the heart of one of the most prestigious organizations globally, the United Nations.

Getting Started : Recon

Let's get started…

Began with the routine by listing the Subdomains using Subfinder tool

Target domain: unep.org

subfinder -d unep.org > unep.txt

which was listed around 92 subdomains….

Now, let’s check out one of the domain by exploring its subdomains.

Randomly, I found a domain apps.unep.org which shows the endpoint as /test/server.php

apps.unep.org listed in subdomains

At the time I didn’t have much idea about this endpoint. At last I came up with a tool called Nuclei

Nuclei-Vulnerability analysis tool

The Nuclei Advantage

Nuclei, an open-source tool, played a pivotal role in streamlining my vulnerability discovery process. Its extensible nature and comprehensive template library allowed me to perform detailed scans, helping uncover hidden vulnerabilities that might have eluded other tools. In this case, it proved invaluable in pinpointing the XSS vulnerability within the UN’s web infrastructure.

Discovery of XSS Vulnerability (CVE-2020–14413)

During the scanning with the tool Nuclei, Nuclei flagged a potential vulnerability — an XSS flaw in the UN’s web application, identified as CVE-2020–14413. XSS, or Cross-Site Scripting, is a critical security issue that allows attackers to inject malicious scripts into web pages viewed by other users.

URL: https://apps.unep.org/unepmediacentre/vendor/kriswallsmith/buzz/test/server.php

With XSS-URL: https://apps.unep.org/unepmediacentre/vendor/kriswallsmith/buzz/test/server.php/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E

XSS Reflected !
Yes XSS Found!!

Responsible Disclosure

With the vulnerability identified, my next step was clear — responsible disclosure. Understanding the sensitivity and global impact of the United Nations, I ensured that my findings were communicated to their security team promptly and securely. This involved providing a detailed report outlining the nature of the XSS vulnerability, its potential impact and suggested mitigation strategies.

Recognition in the Hall of Fame

After the vulnerability was successfully patched, the United Nations acknowledged my contribution by including me in their Hall of Fame. It was a moment of immense pride and satisfaction to see my name alongside other cybersecurity enthusiasts who had made significant contributions to securing the organization.

Reported: 25th December 2023

Fixed: 1st January 2024

Acknowledged: 23th January 2024

https://unite.un.org/content/un-information-security-hall-fame

Hall Of Fame: Hall of Fame | Office of Information and Communications Technology

Let’s meet again in other article

Bye !

Bye !

--

--

Kamil Rahuman

Security Researcher | Bug hunter | Secured Microsoft, Nasa, United Nations, National Science Foundation +13 more companies