Summary

A Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the SourceCodester Ship/Ferry Ticket Reservation System due to improper sanitization of user-supplied input.

An authenticated attacker can inject malicious JavaScript payloads into application input fields. The application stores the injected payload and executes it when the affected page is viewed, resulting in arbitrary JavaScript execution in another user's browser.

This vulnerability may lead to session hijacking, account compromise, credential theft, unauthorized actions, or execution of malicious scripts in the context of authenticated users.

Executive Summary

The application improperly handles user-supplied input and fails to sanitize or encode malicious JavaScript content before rendering it in the browser.

An authenticated administrator can inject malicious JavaScript payloads into the username field during user creation or modification. The payload becomes persistently stored and automatically executes for authenticated users.

This introduces a persistent client-side attack vector that may result in account compromise and unauthorized actions.

Scope

**Application Name:** Ship/Ferry Ticket Reservation System — PHP **Vendor:** SourceCodester **Affected Component:** User Input / Profile Functionality **Vulnerability Type:** Stored Cross-Site Scripting (Stored XSS)

Methodology

The vulnerability was identified through manual authenticated security testing.

Input validation and output encoding mechanisms were tested by inserting JavaScript payloads into user-controlled fields and verifying whether the payload was stored and executed when rendered.

The following methodology was used:

- Authentication as an administrator - Input field testing - Payload injection - Stored payload verification - Client-side script execution validation

Detailed Findings

Vulnerability Name

Stored Cross-Site Scripting (Stored XSS)

### Description

The application fails to sanitize user-controlled input in the **username field** during user creation or modification.

An attacker can inject malicious JavaScript payloads into the username parameter through the administrative user management functionality. The payload becomes permanently stored in the database and automatically executes whenever authenticated users access affected pages.

Because the malicious payload is rendered globally across multiple authenticated pages, any authenticated user, including administrators, becomes vulnerable to arbitrary JavaScript execution.

### Proof of Concept Payload

<img src=x onerror=alert(document.domain)>

### Steps to Reproduce

  1. Login as an administrator.
None

2. Navigate to:

```http GET /admin/?page=user/manage_user ```

None

3. Create a new user or edit an existing user.

None

4. Insert the following payload into the **username** field:

<img src=x onerror=alert(document.domain)>
None

5. Save the user profile.

None

6. Logout and authenticate using another user account (admin or low-privileged user).

None

7. Observe that the payload executes automatically across authenticated pages and a popup appears.

None
None
None

### Proof of Concept

A malicious JavaScript payload injected into the username field was successfully stored in the database and executed automatically for authenticated users.

The payload persisted across sessions and affected both low-privileged users and administrators, demonstrating a persistent Stored Cross-Site Scripting vulnerability.

Risk Scoring

Severity: High CVSS v3.1 Base Score: 8.0

**CWE:** CWE-79 — Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)

# Impact

Successful exploitation of this vulnerability may allow an attacker to:

- Execute arbitrary JavaScript in victims' browsers - Steal session tokens - Perform unauthorized actions as victims - Conduct phishing attacks - Compromise authenticated administrator accounts

This may result in account compromise and unauthorized access to application functionality.

Remediation Summary

The application should properly sanitize and encode all user-supplied input before rendering it in the browser.

Recommended mitigations include:

- Apply contextual output encoding - Implement server-side input sanitization - Use allow-list validation - Deploy Content Security Policy (CSP) - Sanitize all stored user input

Appendix

**Vulnerability Category:** Cross-Site Scripting (XSS) **CWE Reference:** CWE-79 **Authentication Required:** Yes **Privileges Required:** High **Attack Vector:** Network **Security Risk:** High