Course

In this lab, you will explore a common XSS vulnerability that arises from trusting user-provided paths via the `$_SERVER['PHP_SELF']` variable. The developer uses this variable to build a form action URL, assuming it to be safe. However, attackers can manipulate the path to include XSS payloads, which are then echoed back into the page unescaped. This occurs because the server configuration allows access to `/index.php/...`, where the payload can be inserted after the slash.

The lab walks you through the source code of the affected application, demonstrating how the vulnerability can be exploited. By understanding the flow from `index.php` to `header.php` and `footer.php`, you will see how the XSS payload is injected and rendered. This highlights the importance of escaping all user-controlled input, even when it appears to be a trusted server-generated variable.