#86 [security vulnerability] Cross-Site Scripting (XSS) vulnerabilities
Recently, during a focused security assessment, our team identified multiple Reflected Cross-Site Scripting (XSS) vulnerabilities within the application. These flaws reside in several endpoints where user-supplied input is insufficiently sanitized before being rendered in the browser. If exploited, these vulnerabilities could allow an attacker to execute malicious scripts in the context of a victim's session, potentially leading to unauthorized data access or session hijacking.
Vuln 01:
In opponentspassword.php, the parameter $_POST['gameID'] is reflected directly into the page source without any sanitization.
Proof of Concept: gameID="><details id=1 ontoggle=confirm(711)>xxx</details><"
Vuln 02 - Vuln 05:
In newuser.php, the POST parameters are reflected directly into the page source without any sanitization at L45, L60, L70, and L149.
Proof of Concept: txtNick=<script>confirm(711);//\</script> or txtFirstName="><details id=1 ontoggle=confirm(711)>xxx</details><"
Vuln 06 - Vuln 09:
In chess.php, the POST parameters are reflected directly into the page source without any sanitization at L215 - L218.
Proof of Concept: fromRow="><iframe id=1 src=javascript:confirm(711)>xxx</iframe><"
Recommendation:
To fix these vulnerabilities, we recommend that developers implement proper sanitization (e.g. htmlspecialchars()) for user input before displaying it on the web page.
