code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)

Exploit Author: Pruthu Raut Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2025-04-22 
# Exploit Title: code-projects Online Exam Mastering System 1.0 - Reflected Cross-Site Scripting (XSS)
# Google Dork: inurl:/exam/feedback.php
# Date: 2025-04-19
# Exploit Author: Pruthu Raut
# Vendor Homepage: https://code-projects.org/
# Software Link: https://code-projects.org/online-exam-system-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Kali Linux (Apache + PHP 7.x)
# CVE : CVE-2025-28121

# Description:
# code-projects Online Exam Mastering System 1.0 is vulnerable to a Reflected XSS vulnerability in feedback.php via the "q" parameter.
# The application fails to sanitize user input properly, allowing attackers to inject arbitrary JavaScript code.

# Vulnerable URL:
# http://localhost/exam/feedback.php?q=Thank%20you%20for%20your%20valuable%20feedback

# PoC (Proof of Concept):
# Payload:
http://localhost/exam/feedback.php?q=<script>alert('XSS')</script>

# Steps to Reproduce:
# 1. Host the application locally using XAMPP or a similar stack.
# 2. Open the vulnerable URL with the payload in a browser.
# 3. The JavaScript alert will be executed, demonstrating reflected XSS.

# Impact:
# - Account takeover via stolen cookies if a privileged user clicks the malicious link.
# - Full control of victim’s session context if exploited properly.
# - Can be chained with social engineering to target administrators.

# Mitigation:
# - Use `htmlspecialchars()` or a proper encoding mechanism to sanitize user input.
# - Implement Content Security Policy (CSP) headers.
# - Avoid reflecting unsanitized GET parameters into the HTML response.


code-projects Online Exam Mastering System 1.0 — Reflected Cross‑Site Scripting (XSS)

This article explains a reflected Cross‑Site Scripting (XSS) issue identified in the code-projects Online Exam Mastering System 1.0 (CVE-2025-28121). It covers the vulnerability mechanics, impact, safe testing guidance, detection approaches, and concrete remediation steps with secure code examples and HTTP header recommendations. All testing examples below are intended for controlled, legal environments (local installs, test labs, or with explicit permission).

Quick summary

ItemDetails
Productcode-projects Online Exam Mastering System
Version1.0
VulnerabilityReflected Cross‑Site Scripting (XSS)
CVECVE-2025-28121
Root causeUnsanitized reflection of a GET parameter into HTML
Primary mitigationProper output encoding, CSP, secure cookie flags

What is reflected XSS?

Reflected XSS occurs when a web application takes user-supplied data (often from query parameters or form fields) and includes it in an HTTP response without proper encoding. An attacker crafts a link containing JavaScript in the parameter; when a victim opens that link, the injected script runs in the victim’s browser in the context of the vulnerable site.

Vulnerability mechanics in this application

  • The feedback page reflects the value of a query parameter (e.g., q) into HTML output without appropriate escaping.
  • If an attacker convinces a victim (or an admin) to open a crafted URL, arbitrary JavaScript can execute in the victim’s session context.
  • Consequences include cookie theft (unless cookies are protected), session hijacking, UI redressing, or further chained attacks (CSRF, targeted phishing).

Safe Proof‑of‑Concept (lab only)

To validate in a controlled environment, run the application locally (e.g., XAMPP, a VM), then request the feedback endpoint with a test value. Only perform such tests on systems you own or have explicit permission to test.

http://localhost/exam/feedback.php?q=<script>alert('XSS')</script>

Explanation: In a vulnerable app, the above URL places the raw <script> tag into the page HTML and the browser executes it, showing a JavaScript alert. This demonstrates a reflected XSS flaw. Do not use similar payloads against third‑party or production systems without authorization.

Impact scenarios

  • Account takeover: If an administrative user opens a malicious link, an attacker may steal session cookies and impersonate them.
  • Token theft and sensitive data exposure: Scripts can read DOM content, local storage, or perform actions on behalf of the user.
  • Phishing and social engineering: Attackers can create UI overlays that capture credentials.
  • Chaining with other vulnerabilities: XSS often serves as an entry point for broader compromises.

Detection and testing approaches

Automated scanning

  • Use reputable web vulnerability scanners (Burp Scanner, OWASP ZAP) to detect reflected XSS automatically.
  • Configure scanners to test query parameters and form inputs; verify findings manually.

Manual checks (safe testing)

  • Open the app in a controlled lab and inject benign markers (e.g., <test-xss>). Look for unencoded output in HTML, attribute, and URL contexts.
  • Inspect responses in the browser DevTools (View Source) to see how the parameter is reflected and in which context (HTML body, attribute, JavaScript context).

Context analysis is critical

Where the input is reflected determines the correct mitigation:

  • HTML content context — use HTML encoding.
  • Attribute context — use attribute encoding or quotes and proper encoding.
  • JavaScript context — avoid direct injection; use JSON encoding or avoid inline script substitutions.

Remediation: secure coding and configuration

General principles

  • Always perform output encoding based on the output context (use the principle of “encode on output”, not just input validation).
  • Use built-in framework or language APIs for escaping (do not craft your own ad‑hoc filters).
  • Implement defense‑in‑depth: output encoding, CSP, secure cookie flags, and input validation where appropriate.

Vulnerable PHP example (illustrative)

<?php
// feedback.php (vulnerable pattern)
$q = isset($_GET['q']) ? $_GET['q'] : '';
?>
<html>
<body>
  <p><?php echo $q; ?></p>
</body>
</html>

Explanation: This code reads the query parameter "q" and echoes it directly into page HTML without encoding. If an attacker supplies HTML or JavaScript, the browser will interpret it and execute script tags.

Secure fix using htmlspecialchars()

<?php
// feedback.php (safe output encoding)
$q = isset($_GET['q']) ? $_GET['q'] : '';

// Encode for HTML output. Use ENT_QUOTES and UTF-8 to handle quotes and encoding attacks.
$safe_q = htmlspecialchars($q, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');

?>
<html>
<body>
  <p><?php echo $safe_q; ?></p>
</body>
</html>

Explanation: htmlspecialchars() converts special characters (<, >, &, " and ') into HTML entities so the browser will render them as text rather than interpreting them as HTML or script. ENT_SUBSTITUTE prevents invalid UTF-8 from being silently passed through. Use the correct charset (UTF-8).

When reflecting into JavaScript or attributes

If you must inject data into a JavaScript context or inside HTML attributes, use appropriate encoding or avoid inline scripts altogether. Example: embed data as JSON inside a data- attribute and let client-side code read it via dataset or parse JSON safely.

<?php
// Safe: place data in data- attribute after encoding
$data = isset($_GET['q']) ? $_GET['q'] : '';
$safe_data = htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
?>

<div id="feedback" data-feedback="<?php echo $safe_data; ?>"></div>

<script>
  // Read from dataset (no innerHTML injection)
  const feedback = document.getElementById('feedback').dataset.feedback;
  console.log('Feedback (safe):', feedback);
</script>

Explanation: The server encodes the value for attribute context, preventing injection of quotes or angle brackets. Client-side code reads the value as plain text rather than executing it.

Content Security Policy (CSP)

CSP is a powerful mitigation that restricts sources of scripts and other resources. While it’s not a replacement for proper encoding, it reduces the blast radius of XSS.

<?php
// Example CSP header added in PHP
header("Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';");
?>

Explanation: This CSP allows scripts only from the same origin and blocks plugin objects. Consider adding nonce-based or hash-based rules for legitimate inline scripts when necessary. Remember CSP must be tuned to your application; overly strict policies can break functionality if inline scripts or external CDNs are in use.

Additional server-side and deployment recommendations

  • Set secure cookie flags: HttpOnly, Secure, and SameSite=strict or lax where appropriate to reduce session theft via JS.
  • Use frameworks and templating engines that auto-escape output (Twig, Blade, etc.).
  • Keep the application and dependencies updated; apply vendor patches.
  • Use input validation for business logic (length, allowed characters) but rely on output encoding for XSS prevention.
  • Enable logging and alerting for suspicious input patterns and unexpected page responses.

Example: secure cookie settings (PHP)

<?php
// Set session cookie parameters for increased safety
session_set_cookie_params([
  'lifetime' => 0,
  'path' => '/',
  'domain' => '',       // set your domain
  'secure' => true,     // only over HTTPS
  'httponly' => true,   // not accessible to JavaScript
  'samesite' => 'Lax'   // or 'Strict' depending on needs
]);
session_start();
?>

Explanation: These flags make it harder for an attacker to exfiltrate session cookies via XSS and reduce cross-site request risks.

Detection and remediation workflow (recommended)

  • Inventory: Identify all endpoints that reflect user input (query params, POST values, headers).
  • Assess context: Determine where each parameter is rendered (HTML, attribute, URL, JS, CSS).
  • Fix: Apply proper encoding for each context. Prefer framework/template auto-escaping.
  • Harden: Add CSP, secure cookies, and other headers.
  • Test: Re-scan with automated tools and manual validation in a staging environment.
  • Monitor: Deploy runtime monitoring for anomalous requests and response contents.

Responsible disclosure and updates

If you maintain a system using this package, update to a fixed version from the vendor or apply the output-encoding patches described here. If you discover similar issues in other installations, follow responsible disclosure procedures: notify the vendor or site owner, provide reproduction details for a test system, and allow time for a fix before public disclosure.

Summary

Reflected XSS in code-projects Online Exam Mastering System 1.0 is a high‑impact issue when unsanitized input is reflected in HTML. The correct defense is context-aware output encoding (e.g., htmlspecialchars() in PHP), combined with security headers (CSP), safe cookie settings, and secure development practices. Test only in authorized environments and apply the remediation steps above to eliminate the vulnerability.