Report

Reflected Cross-site Scripting

The application was found vulnerable to Reflected Cross-site Scripting (XSS).

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users.

Reflected Cross-site Scripting is a type of XSS where the injected code is reflected off the web server. This kind of XSS is short-lived and requires a phishing vector to be delivered to the victim.

Impact

An attacker may be able steal personal data, hijack sessions and perform phishing attacks by forcing a user's browser to execute a malicious JavaScript payload.

Solution

Sanitise all user-supplied input before using it as part of dynamically generated pages and data. Be cautious of meta character that can be used to build tags and attributes.

References

Details

request: GET http://192.168.247.132/WackoPicko/pictures/search.php?query=%22%3E%3CPR0ML%3E HTTP/1.1 Content-Type: application/x-www-form-urlencoded

request: POST http://192.168.247.132/WackoPicko/users/login.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded username='%3E%3CRfJHk%3E&password=aBPpyyZiSU