Reflected Cross‑Site Scripting (XSS)

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the application's search functionality. The application reflects user input back to the browser without proper sanitization or output encoding. This allows an attacker to execute arbitrary JavaScript in the context of the victim's session.

1. Click on the Search icon (magnifying glass) in the navigation bar.
2. In the search input field, inject the malicious HTML tag (see Payload section).
3. Press Enter.
4. Observe that the injected code is rendered, executing the JavaScript and triggering an alert box displaying "XSS".

The attack utilized an image tag with an invalid source to trigger the onerror event:

<img src=x onerror="alert('XSS')">

Severity: High

• Session Hijacking: Attackers can steal session cookies or local storage tokens.
• Unauthorized Actions: Ability to perform actions on behalf of the authenticated user.
• Phishing: The page content can be modified to trick users into disclosing sensitive information.

The vulnerability occurs because the application takes the query parameter q from the URL and inserts it directly into the HTML DOM (specifically in the "Search Results" header) without escaping special characters. The browser interprets the unescaped <img...> string as executable code rather than plain text.

• Context-Sensitive Output Encoding: Encode all user-supplied data before rendering it in the browser (e.g., convert < to <).
• Content Security Policy (CSP): Implement strict CSP headers to restrict the execution of inline scripts and unauthorized resources.
• Use Secure Frameworks: Utilize modern frontend frameworks (like Angular, React, or Vue) which handle escaping automatically by default.