Compliance Impact

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of users' browsers, potentially leading to session hijacking, theft of authentication cookies, and unauthorized actions on behalf of authenticated users.

Such security weaknesses can result in unauthorized access to personal or sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate safeguarding user information and ensuring data integrity.

Failure to properly sanitize inputs and protect against cross-site scripting attacks could lead to non-compliance with these regulations, as they require organizations to implement adequate security controls to prevent data breaches and protect user privacy.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts on users and the system:

• Execution of arbitrary JavaScript code in the context of the victim’s browser.
• Potential session hijacking and theft of authentication cookies.
• Unauthorized actions performed on behalf of authenticated users.
• Persistent impact affecting all users who view the compromised data.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Accounting System in PHP version 1.0, specifically in the `costumer_name` parameter handled by the `/my_account/add_costumer.php` endpoint.

The problem arises because the application does not properly sanitize or encode user input before storing it in the backend database and later displaying it in the web interface.

An attacker can submit malicious JavaScript code via the `costumer_name` field, which gets stored in the database without filtering. When other users view the stored data, the malicious script executes in their browsers.

This allows execution of arbitrary JavaScript code in the victim's browser, potentially leading to session hijacking, theft of authentication cookies, and unauthorized actions performed on behalf of authenticated users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the `/my_account/add_costumer.php` endpoint for stored cross-site scripting (XSS) in the `costumer_name` parameter.

A practical detection method is to send a POST request with a payload containing a harmless script or HTML tag that triggers a visible effect, such as a JavaScript prompt.

For example, you can use the following curl command to test the vulnerability:

• curl -X POST -d "costumer_name=%3Cdetails%2Fopen%2Fontoggle%3Dprompt%28origin%29%3E" https://[target-domain]/my_account/add_costumer.php

If the payload is stored and later executed when viewing the customer record, it confirms the presence of the stored XSS vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the server side, especially the `costumer_name` parameter.

Before rendering user-controlled data, encode output using functions like `htmlspecialchars()` to prevent execution of injected scripts.

• Sanitize and validate input data on the server.
• Encode output with functions such as `htmlspecialchars($costumer_name, ENT_QUOTES, 'UTF-8')`.
• Implement a strict Content Security Policy (CSP) to restrict script execution.
• Set HttpOnly and Secure flags on cookies to reduce risk of session hijacking.

Additionally, conduct regular security testing to identify and fix injection vulnerabilities.

Useful 0 Not Useful 0