Car Booking System PHP Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Car-Booking-System-PHP version 1.0. The issue resides in the booking.php file within the carlux directory.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to session hijacking, theft of authentication cookies, phishing attacks, data theft, or manipulation of displayed content.

Reproduction

To reproduce this vulnerability, navigate to the carlux directory of the Car-Booking-System-PHP application. Select a car to view its details, then intercept the 'Book Now' request using Burp Suite. Add a script payload to the request and send it. Finally, view the response in a browser to execute the injected script.

Remediation

To mitigate this vulnerability, input should be sanitized to implement strict validation and escape special characters. User input should be encoded before being rendered in the browser. Additionally, a Content Security Policy (CSP) can be implemented to restrict the execution of inline scripts.