By entering any content in the “Database,” “Password,” and “Role” fields and submitting the request, we can observe that the following request is sent to the server:
The value of the parameter can be modified to “><script>alert(1)</script>, which breaks the application’s standard syntax, resulting in the execution of the JavaScript alert function. This causes an alert box displaying the value 1 to appear, confirming the XSS vulnerability
For the proof of concept, only the alert function was used to display a popup with the value 1 on the screen. However, in a real attack scenario, JavaScript could be used to access the PHP session cookie, potentially leading to account hijacking.
