제출 #393511: GitHub Insurance Management System 1.0 Cross Site Scripting정보

제목GitHub Insurance Management System 1.0 Cross Site Scripting
설명Description I have identified a Reflected Cross-Site Scripting (XSS) vulnerability in the Life Insurance Management System, specifically within the editClient.php endpoint. This vulnerability allows an attacker to inject malicious JavaScript code into the 'AGENT ID' field during the client details editing process. The injected script is then reflected in the client-side interface, posing a significant risk of unauthorized actions or data theft. 2. Steps to Reproduce Navigate to the client page http://127.0.0.1/life-insurance-management-system/lims/client.php Click on edit the client i.e in my case http://127.0.0.1/life-insurance-management-system/lims/editClient.php?client_id=1723313626 Inject Malicious Script: In the "AGENT ID" field, input the following payload: <script>alert(document.domain)</script> Submit the Form: Submit the form with the injected payload. Trigger the XSS: Navigate to the edit client section and click on edit data. Upon adding the malicious script in AGENT ID field, click on save and upon loading this page, the malicious script is executed, resulting in an alert box that displays the document's domain, confirming the XSS vulnerability. 3. Impact Confidentiality: Attackers can exploit this vulnerability to steal sensitive information, including session tokens, cookies, or other private data. Integrity: Attackers could manipulate the content displayed to users, potentially altering important information. Availability: Malicious scripts can be used to create denial of service (DoS) conditions through heavy or infinite loop scripts. 4. Proof of Concept Screenshot: (Include an attached screenshot showing the alert triggered by the payload) Payload: <script>alert(document.domain)</script> 5. Recommendations To address and mitigate the identified XSS vulnerability, consider implementing the following measures: Sanitize Input: Ensure that all user inputs are sanitized and validated before being stored in the database. Use libraries or frameworks that offer secure input handling. Escape Output: Properly escape and encode output when displaying user-generated content to prevent the execution of injected scripts. Content Security Policy (CSP): Implement a robust Content Security Policy to limit the sources from which scripts can be loaded and executed, reducing the risk of XSS attacks. Github link to this application: https://github.com/nafisulbari/life-insurance-management-system
원천⚠️ http://127.0.0.1/life-insurance-management-system/lims/editClient.php
사용자
 fahadletsleep (UID 73320)
제출2024. 08. 18. PM 12:55 (2 연령 ago)
모더레이션2024. 08. 27. PM 01:22 (9 days later)
상태수락
VulDB 항목275917 [nafisulbari/itsourcecode Insurance Management System 1.0 editClient.php AGENT ID 크로스 사이트 스크립팅]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!