Vendor: Project Worlds

Product: Visitor Management System

Date: 14/1/2024

Overview:

The Visitor Management System developed by Project Worlds is found to have a security vulnerability that exposes it to reflected Cross-Site Scripting (XSS) attacks. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to unauthorized access, data theft, or other security breaches.

Vulnerability Details:

1. XSS Vulnerability:

• Location: datetest.php
• Vulnerable Parameter: name

Exploitation Example:

<https://localhost/Visitor%20Management%20System%20in%20PHP/datetest.php?name=>"><script>alert('torada')</script>

Description:

The application fails to properly validate and sanitize the user input received through the URL parameter name. As a result, an attacker can inject malicious scripts into the page, leading to the execution of arbitrary JavaScript code in the context of the victim's browser.

Proof of Concept:

To demonstrate the exploit, an attacker can craft a URL with a malicious payload as follows:

1. Access the vulnerable page with the crafted URL:

   plaintextCopy code
   <https://localhost/Visitor%20Management%20System%20in%20PHP/datetest.php?name=>"><script>alert('torada')</script>
   
   

2. Upon loading the page, the injected script triggers an alert with the message 'torada', indicating successful exploitation.

Recommendations:

1. Input Validation and Sanitization: