Key Information Vulnerability Overview Type: Stored Cross-Site Scripting (XSS) Affected System: Food Ordering System in PHP CodeIgniter Affected Version: 1.0 Key Details Proof of Concept (PoC) 1. Log in to the Foodinator Admin Panel - Access: - Authenticate using valid credentials. 2. Inject XSS Payload in Name Field - Paste the following payload into the "Address" and "Name" input fields, then click Update: 3. Trigger the Payload - When the stored page is loaded, a JavaScript event will be triggered, confirming the stored XSS vulnerability. - When the admin accesses the dashboard or browses through it, the payload will be triggered again, confirming the stored XSS. Potential Impact Session Hijacking: Steal user/admin session cookies to take over accounts. Phishing: Inject fake forms to collect credentials. Website Defacement: Alter webpage content, damaging brand reputation. Data Exfiltration: Steal sensitive data via backend requests. Malware Distribution: Spread malicious code across multiple domains. Privilege Escalation: Gain access to higher-privileged accounts by exploiting stored scripts. Mitigation Strategies Input Sanitization - Use functions like to sanitize all user inputs. Output Encoding - Encode dynamic content before rendering.