SourceCodester Simple To-Do List System Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in SourceCodester's Simple To-Do List System version 1.0. The issue arises in the 'Add Tasks' text input, where an authenticated user can submit HTML or JavaScript that is not properly sanitized or encoded before being output. This injected script is stored and later executed in the browser of any user who views the task, allowing the execution of arbitrary scripts in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user's browser, potentially leading to session cookie theft and account takeover, execution of actions on behalf of the user, manipulation and defacement of the user interface, targeted phishing attacks, and unauthorized data exfiltration.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Task' feature. Enter a task along with a script payload into the text input, and select a due date. Once the task is saved, the injected script will be executed when the task is viewed, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, implement proper encoding and escaping of user-supplied data before output, using functions like 'htmlspecialchars()' in PHP. Apply server-side validation to normalize input, restrict input length, and encode or strip disallowed HTML. If HTML markup must be allowed, use a reputable sanitizer library such as HTML Purifier. Additionally, establish a Content Security Policy (CSP) to mitigate the impact of any injected scripts, and ensure session cookies have the HttpOnly and Secure flags. Finally, apply contextual escaping based on where the data is inserted, whether in HTML, attributes, JavaScript, or URLs.