[email protected] - [email protected].

com

Introduction:

My name is Hijaab Sikander, and I am a cybersecurity enthusiast. I am writing to

inform you of several critical security vulnerabilities I discovered on your e-commerce
website https://www.pib-home.co.uk/, specifically within the search functionality. These
vulnerabilities include Stored Cross-Site Scripting (XSS), Reflected Cross-Site Scripting
(XSS), and SQL Injection. These issues pose significant risks to your company’s
integrity and user data security. Immediate action is necessary to address these
vulnerabilities and prevent potential exploitation.

Types of Cross-Site Scripting (XSS)

1. Stored XSS
Stored XSS occurs when the injected script is permanently stored on the target
servers, such as in a database, comment field, or other data-storing mechanism.
When a user visits the affected page, the script is executed, allowing the attacker
to hijack the session or perform other malicious actions.
2. Reflected XSS
This type of XSS occurs when malicious scripts are reflected off a web server
and immediately returned to the user. The vulnerability discovered in your
website falls into this category, as it affects the search feature. Reflected XSS
can be exploited by tricking a user into clicking on a malicious link, leading to the
theft of sensitive information such as cookies or session tokens.
3. DOM-based XSS
In this type, the vulnerability exists within the client-side code rather than the
server-side code. The attack is carried out and executed by the browser, often
through JavaScript that manipulates the DOM.

Details of the Vulnerability:

I have identified SQL Injection, Reflected and Stored Cross-Site Scripting (XSS)
vulnerability on your e-commerce website https://www.pib-home.co.uk/. This
vulnerability occurs when a script is reflected in the website’s response and executed in
users' browsers. It presents a serious security risk, as it can expose sensitive
information, including session cookies, databases that may contain user login data, and
payment information.
- Vulnerability Type: Reflected and Stored XSS and SQL injection
- Impact: Exposure of session cookies, database and sensitive data
- Affected Area: https://www.pib-home.co.uk/
This vulnerability allows malicious scripts to be executed in the context of the user’s
session, potentially compromising their accounts and personal information.

Vulnerability Overview

1. Stored Cross-Site Scripting (XSS)

Stored XSS vulnerabilities occur when user input is improperly sanitized and stored on
the server, later served to users. This can allow attackers to inject malicious scripts into
your website that will execute whenever a user accesses an affected page.

2. Reflected Cross-Site Scripting (XSS)

Reflected XSS occurs when user input is immediately returned by the server without
proper sanitization. This type of XSS can allow attackers to craft malicious URLs that,
when clicked by a user, execute harmful scripts.

3. SQL Injection

SQL Injection vulnerabilities allow attackers to manipulate SQL queries sent to your
database by injecting malicious SQL code through unsanitized user input fields. This
can result in unauthorized data exposure and even database manipulation.

Vulnerability Details

Stored XSS

The stored XSS vulnerability I found is within the search section on your website, which
appears on multiple pages. When a script is input into the search bar, it is stored and
subsequently executed each time the page is accessed. I found that clicking the
"Personal Assistant" button on the right side results in the execution of these scripts,
demonstrating an unprotected vector for XSS attacks.

Reflected XSS

The reflected XSS vulnerability also exists in the search functionality. When a user
inputs a script, it is reflected back in the response without any form of sanitization. This
means attackers could craft malicious URLs to execute scripts directly in users’
browsers upon visiting the URL.
SQL Injection

In addition to XSS vulnerabilities, I identified an SQL Injection vulnerability within the

search functionality. The unsanitized user input allows an attacker to inject SQL code,
potentially gaining access to the database’s content. Evidence of this vulnerability is the
exposure of website code in responses, which indicates that the server is executing
arbitrary SQL commands based on user input.

Potential Consequences for the Company, Website, and Users

1. Company-Related Consequences:

 Financial Exposure: The possibility of regulatory fines, legal actions, and

compensation claims may arise if a data breach occurs due to these
vulnerabilities. Additionally, implementing security fixes can lead to increased
operational costs.
 Reputation Risks: A security breach could erode customer confidence, making
it challenging to retain current users and attract new ones. Rebuilding brand trust
after such incidents can be time-consuming and costly.
 Operational Hurdles: Addressing vulnerabilities might require downtime,
affecting normal business operations and possibly leading to a temporary drop in
revenue.

2. Website-Related Consequences:

 Content Integrity: XSS vulnerabilities could result in unauthorized changes to

the website, which may lead to a negative user experience and undermine the
company’s brand image.
 Service Interruptions: Mitigating these security issues could necessitate taking
the website offline, impacting customer access and possibly affecting sales.
 SEO Challenges: A compromised website could be flagged by search engines,
potentially resulting in lower rankings, decreased visibility, and reduced traffic.

3. User-Related Consequences:

 Data Privacy Risks: SQL Injection can expose users’ personal and financial
information, potentially leading to identity theft or financial fraud.
 Account Security Concerns: XSS vulnerabilities might allow attackers to
access user sessions, enabling unauthorized actions on user accounts.
 Security Threats: Users may encounter phishing scams or malware distributed
via exploited vulnerabilities, putting their devices and personal information at risk.

Impact Analysis
Impact on Users

 Stored XSS: This vulnerability can compromise user data, as attackers can steal
cookies, session tokens, and other sensitive information, potentially leading to
account hijacking.
 Reflected XSS: Users can be tricked into clicking malicious links that execute
harmful scripts in their browsers, compromising personal data and potentially
downloading malware.
 SQL Injection: Through SQL Injection, attackers can gain unauthorized access
to user data stored in the database, leading to data theft or manipulation,
exposing users to identity theft and privacy violations.

Impact on Website

 Data Breaches: SQL Injection vulnerabilities can lead to significant data

breaches, affecting customer trust and potentially resulting in financial penalties.
 Website Defacement: XSS vulnerabilities could be exploited to alter website
content, impacting brand reputation and user trust.
 Operational Downtime: Successful exploitation of these vulnerabilities could
result in operational downtime, as servers may need to be taken offline to
address breaches.

Pros and Cons of Current Vulnerabilities

 Pros (for attackers):

o Easy exploitation with significant damage potential.
o Opportunities for data theft, malware distribution, and unauthorized
access.

 Cons (for your company):

o Risks to customer trust and potential legal ramifications.
o Possible financial losses due to data breaches and remediation efforts.

Potential Damages

If left unaddressed, these vulnerabilities can lead to substantial financial and

reputational damage. A full data breach may lead to regulatory penalties, especially in
compliance with GDPR and other data protection laws. Furthermore, website
defacement or operational interruptions could harm customer trust and deter future
users.

Screenshots and Evidence

Attached are screenshots that illustrate the vulnerabilities discovered. They

demonstrate the execution of inserted scripts within the website and the exposure of
backend code due to SQL Injection. These visuals should aid in understanding the
severity of the issues.

SQL SCRIPTING:
REFLECTED XSS:

Domain of the website by XSS scripting:

Cookies of the website by XSS scripting:

Stored XSS AFTER CLICKING ON THE RIGHT BUTTON OF PERSONAL

ASSISTANCE:
Conclusion

I recommend prioritizing the remediation of these vulnerabilities. Implementing input

validation, output encoding, and parameterized SQL queries can prevent these attacks.
Additionally, a bounty or reward in recognition of this security report would be greatly
appreciated. I am more than willing to assist in further investigating these issues and
verifying any patches applied.

Please reach out if you require further details or evidence regarding these
vulnerabilities.