SourceCodester Loan Management System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in SourceCodester Loan Management System version 1.0. The issue resides in the index.php file, where the application improperly sanitizes the 'page' parameter in GET requests. This flaw allows remote attackers to inject arbitrary JavaScript or HTML, which is then executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies from authenticated users or administrators. Additionally, it could be used for phishing attacks by modifying the page's DOM to deceive users into entering their credentials. The vulnerability also enables attackers to perform actions on behalf of the victim within the application.

Reproduction

To reproduce this vulnerability, deploy the Loan Management System locally. Then, access the index.php page and manipulate the 'page' parameter in the URL with a crafted payload that includes JavaScript, such as an alert command. The injected script will execute in the browser, demonstrating the cross-site scripting vulnerability.