| タイトル | codeastro.com Web Application 1.0 Cross-Site Scripting (XSS) |
|---|
| 説明 | Vulnerability Report:
Introduction:
This document provides details on the identification and assessment of a Cross-Site Scripting (XSS) vulnerability discovered in the Simple Banking System.
System Overview:
Project Name: Simple Banking System
Vulnerability Type: Cross-site Scripting (XSS)
Project Link: https://codeastro.com/simple-banking-system-in-php-with-source-code/
Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in the "createuser.php" page of the Simple Banking System. The vulnerability allows an attacker to inject and execute arbitrary scripts in the user's browser.
Impact Assessment:
Potential Impact: The XSS vulnerability enables an attacker to execute malicious scripts, leading to potential unauthorized access, data theft, or other malicious activities.
Severity: High
Mitigation Steps:
Input Validation:
Implement robust input validation to sanitize user inputs effectively.
Output Encoding:
Apply proper output encoding to prevent the execution of injected scripts.
Content Security Policy (CSP):
Enforce a strict Content Security Policy to mitigate XSS risks.
Reproduction Steps:
Access the following URL: http://192.168.50.83/SimpleBankingSystem-PHP/createuser.php
Input the payload <img src=1 href=1 onerror="javascript:alert(1)"></img> in relevant fields.
Submit the form.
Observe the execution of the payload, confirming the presence of the XSS vulnerability.
Researcher:
Name: ABHISHEK K A
Contact: [email protected]
Role: Cybersecurity Researcher
Project Details:
Project Name: Simple Banking System
Vulnerability Type: Cross-site Scripting (XSS)
Payload: <img src=1 href=1 onerror="javascript:alert(1)"></img>
Input Parameter: http://192.168.50.83/SimpleBankingSystem-PHP/createuser.php
Discovery Date: 08/01/2024
Source of Project: Obtained from codeastro.com
Your Commitment:
Responsible disclosure is committed, and the researcher will not publicly disclose the vulnerability until it has been appropriately addressed.
Contact Information:
Preferred Communication Method: [email protected]
Timeline:
Discovery Date: 08/01/2024 |
|---|
| ソース | ⚠️ https://drive.google.com/file/d/1SaHrOPMV6yrBaS5pA7MOX8nsiVGxvlOa/view?usp=sharing |
|---|
| ユーザー | ABHISHEK K.A (UID 61005) |
|---|
| 送信 | 2024年01月09日 07:38 (3 年 ago) |
|---|
| モデレーション | 2024年01月11日 13:22 (2 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 250442 [CodeAstro Online Food Ordering System 1.0 dishes.php res_id クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|