Code-Projects Online Hotel Booking Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Online Hotel Booking System by Code-Projects, specifically in version 1.0. The issue arises in the Booking Endpoint, within the file 'booknow.php'. The vulnerability is triggered by manipulating the 'roomname' parameter in the HTTP GET request. The application fails to properly validate or encode this user-supplied input before it is reflected in the HTML response. As a result, malicious JavaScript or HTML can be injected and executed in the browsers of users who access the crafted URL.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, cookie theft, and unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, send a GET request to 'booknow.php' with a crafted 'roomname' parameter that includes JavaScript code, such as a script tag with a JavaScript alert. The injected script will execute when the page is loaded, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to encode user input before rendering it in HTML, validate input to reject unexpected characters, and implement Content Security Policy headers.