Title | codeastro.com Simple Banking System (WEB APP) 1.0 Cross-Site Scripting (XSS) |
---|
Description | Vulnerability Report
Introduction:
This document provides details on the identification and assessment of a Cross-Site Scripting (XSS) vulnerability discovered in the Simple Banking System.
System Overview:
Project Name: Simple Banking System
Vulnerability Type: Cross-site Scripting (XSS)
Project Link: https://codeastro.com/simple-banking-system-in-php-with-source-code/
Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in the "createuser.php" page of the Simple Banking System. The vulnerability allows an attacker to inject and execute arbitrary scripts in the user's browser.
Impact Assessment:
Potential Impact: The XSS vulnerability enables an attacker to execute malicious scripts, leading to potential unauthorized access, data theft, or other malicious activities.
Severity: High
Mitigation Steps:
Input Validation:
Implement robust input validation to sanitize user inputs effectively.
Output Encoding:
Apply proper output encoding to prevent the execution of injected scripts.
Content Security Policy (CSP):
Enforce a strict Content Security Policy to mitigate XSS risks.
Reproduction Steps:
Access the following URL: http://192.168.50.83/SimpleBankingSystem-PHP/createuser.php
Input the payload <img src=1 href=1 onerror="javascript:alert(1)"></img> in relevant fields.
Submit the form.
Observe the execution of the payload, confirming the presence of the XSS vulnerability.
Researcher:
Name: ABHISHEK K A
Contact: abhishekkallumada001@gmail.com
Role: Cybersecurity Researcher
Project Details:
Project Name: Simple Banking System
Vulnerability Type: Cross-site Scripting (XSS)
Payload: <img src=1 href=1 onerror="javascript:alert(1)"></img>
Input Parameter: http://192.168.50.83/SimpleBankingSystem-PHP/createuser.php
Discovery Date: 08/01/2024
Source of Project: Obtained from codeastro.com
Your Commitment:
Responsible disclosure is committed, and the researcher will not publicly disclose the vulnerability until it has been appropriately addressed.
Contact Information:
Preferred Communication Method: abhishekkallumada001@gmail.com
Timeline:
Discovery Date: 08/01/2024 |
---|
Source | ⚠️ https://drive.google.com/file/d/1jr5YRrESDjcNmhpQRK5yHvvxNlYJp2oK/view?usp=sharing |
---|
User | ABHISHEK K.A (ID 61005) |
---|
Submission | 2024-01-09 08:00 (4 months ago) |
---|
Moderation | 2024-01-11 13:24 (2 days later) |
---|
Status | Przyjęty |
---|
VulDB Entry | 250443 |
---|