PuneethReddyHC Online Shopping System Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Online Shopping System developed by PuneethReddyHC, specifically in version 1.0. The issue resides in the register.php file, where unsanitized user input in the f_name parameter is echoed back in the server response without adequate HTML encoding or output escaping. This flaw allows remote attackers to inject arbitrary JavaScript, which could be executed in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the victim's browser. This could lead to session hijacking, credential theft, or redirection to malicious websites.

Reproduction

To reproduce this vulnerability, send a POST request to register.php with an unsanitized f_name parameter containing JavaScript code, such as a script tag including an alert function. The injected script will execute in the browser of anyone who views the response.

Remediation

To address this vulnerability, implement proper output encoding, such as using 'htmlspecialchars()' in PHP, and validate and sanitize all user inputs. Additionally, consider using Content Security Policy (CSP) headers to mitigate the impact of XSS.