nuclei-templates/vulnerabilities/generic/basic-xss-prober.yaml

id: basic-xss-prober

info:
  name: Basic XSS Prober - Cross-Site Scripting
  author: nadino,geeknik
  description: A cross-site scripting vulnerability was discovered via generic testing. Manual testing is needed to verify exploitation.
  severity: low
  tags: xss,generic

  # Basic XSS prober
  # Manual testing needed for exploitation

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "\"><injectable>"
        part: body

      - type: word
        words:
          - "text/html"
        part: header

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/09/22
updated basic xss detection 2020-05-24 05:17:49 +00:00			`id: basic-xss-prober`

			`info:`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`name: Basic XSS Prober - Cross-Site Scripting`
Updated author names 2021-06-09 12:20:56 +00:00			`author: nadino,geeknik`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`description: A cross-site scripting vulnerability was discovered via generic testing. Manual testing is needed to verify exploitation.`
updated basic xss detection 2020-05-24 05:17:49 +00:00			`severity: low`
Update basic-xss-prober.yaml 2021-08-11 07:37:17 +00:00			`tags: xss,generic`
updated basic xss detection 2020-05-24 05:17:49 +00:00
Fix typo 2020-05-24 22:03:59 +00:00			`# Basic XSS prober`
			`# Manual testing needed for exploitation`
updated basic xss detection 2020-05-24 05:17:49 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e"`
matcher updates 2021-01-11 06:44:22 +00:00
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`matchers-condition: and`
updated basic xss detection 2020-05-24 05:17:49 +00:00			`matchers:`
			`- type: word`
			`words:`
Wasn't working because it was the wrong char changed the ' to " in matcher 2020-10-14 08:20:58 +00:00			`- "\"><injectable>"`
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`part: body`
Update basic-xss-prober.yaml 2020-11-02 15:25:36 +00:00
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`- type: word`
			`words:`
Update basic-xss-prober.yaml IMHO its better to test for text/html to report a possible XSS, there are a more content types that could cause reflect the content and dont have a XSS. like javascript, css, plaintext files, etc. 2020-12-02 03:11:07 +00:00			`- "text/html"`
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`part: header`
matcher updates 2021-01-11 06:44:22 +00:00
			`- type: status`
			`status:`
Update basic-xss-prober.yaml 2021-08-11 07:37:17 +00:00			`- 200`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00
			`# Enhanced by mp on 2022/09/22`