Skip to content

Instantly share code, notes, and snippets.

@th4s1s

th4s1s/online-shop-php-xss.md Secret

Created January 2, 2025 08:48
Show Gist options
  • Save th4s1s/fc65dafa7237cc66a18ef6005075c31b to your computer and use it in GitHub Desktop.
Save th4s1s/fc65dafa7237cc66a18ef6005075c31b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
online-shop-php-xss.md

Online Shop IN PHP has Cross-Site Scripting (XSS) vulnerability via $name and $details paremeter in /view.php.

Project

https://code-projects.org/online-shop-in-php-css-javascript-and-mysql-free-download/

Vulnerability

/view.php - $name and $details paremeters.

Description

In the /view.php file, an unrestricted Cross-Site Scripting (XSS) vulnerability and injection attacks exist, specifically targeting the $name and $details paremeters. The function echo the user-supplied parameter without validation. Malicious attackers can leverage this vulnerability to access sensitive client information.

Path: /view.php?name=<img/src/onerror=alert(%27XSS%27)>

<div class="row">
  <div class="box">
    <h1><?php echo $_GET['name'] ?></h1>
    <h4>
        Product Details
    </h4>
              <p><?php echo $_GET['details'] ?></p>
  </div>
</div>

PoC

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment