This is the demonstration of Cross-Site-Scripting attack in phpMyAdmin and PHP_SELF and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.
bWAPP Official Link:- http://www.itsecgames.com/
How to perform a Cross-Site Scripting attack in phpMyAdmin?
Now please choose Cross-site-Scripting — Reflected (phpMyAdmin) from the drop-down menu and click Hack.
So this is a phpMyAdmin cross-site scripting bug and you can see the message here that
The phpMyAdmin version fails to validate BBcode tags in the error.php script! and HINT is "CVE-2010–4480"
CVE meaning — Common Vulnerabilities and Exposures which is widely known as CVE id. And if you search this id on their website then you will find the details of this particular vulnerability.
For example, there was an XSS bug found in the db_central_columns.php file query parameter.
And it was a major bug found in phpMyAdmin and by this, an attacker can do serious damage to the database.
But till now in most of the phpMyAdmin version, this bug already fixed.
For more information please check CVE report.
How to perform a Cross-Site Scripting attack in PHP_SELF?
Now please choose Cross-site-Scripting — Reflected (PHP_SELF) from the drop-down menu and click Hack.
As you can see here we got the same user interface again which we found in (GET & POST) sections — Cross-site-Scripting — Reflected (GET & POST)
And every time when you are developing a web application then please follow OWASP guidelines.
In that way at least you can reduce common vulnerability in the websites.
For more information?
I hope you guys like this post-bye bye for now.
Happy Hacking :)