• caglararli@hotmail.com
  • 05386281520

Addressing Potential JavaScript Injection Vulnerabilities

Çağlar Arlı      -    16 Views

Addressing Potential JavaScript Injection Vulnerabilities

I am working on a project involving an input form where customers enter their name and email to start a conversation with support. The form works well, but I've noticed some issues with the 'Name' input field. Specifically, I can use developer tools to modify the number of characters allowed in this field and insert JavaScript code, such as element.value="<script>alert('test');</script>".

When I enter this code as the username and an email address, I can start a chat with the name element.value="<script>alert('test');</script>", and everything functions correctly—I can send and receive messages without any issues. However, when I check the database, I see that the user's name is stored exactly as entered, including the JavaScript code.

My concerns are as follows:

Database Vulnerability: Is it a potential vulnerability that JavaScript code can be injected into the MySQL database through the name field? Could this be exploited to inject a large amount of JavaScript code into the database?

Execution of JavaScript Code: When generating statistical reports (since this is a call center server), the JavaScript code in the customer name gets executed, causing an alert window to appear on my screen. Can querying the database trigger the execution of this code? Does this indicate a vulnerability?

Any help or guidance on addressing these issues would be greatly appreciated.