Sourcecodester Zoo Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sourcecodester Zoo Management System version 1.0. The issue resides in the Login class, specifically within the login function. The vulnerability is caused by an invalid Content-Type in JSON responses, coupled with unsanitized user input that is reflected in the response. This allows unauthenticated attackers to inject malicious HTML or JavaScript that executes in the context of the victim's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to '/zms/classes/Login.php?f=login' without the proper Content-Type. Include an unsanitized username, such as one with an embedded image tag, and a password. The injected script will execute in the browser, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, update the login function to include a header that sets the Content-Type to 'application/json; charset=utf-8'. Additionally, sanitize user input before using it in SQL queries or reflecting it in responses.