nuclei-templates/http/misconfiguration/xss-deprecated-header.yaml

id: xss-deprecated-header

info:
  name: XSS-Protection Header - Cross-Site Scripting
  author: joshlarsen
  severity: info
  description: Setting the XSS-Protection header is deprecated. Setting the header to anything other than `0` can actually introduce an XSS vulnerability.
  reference:
    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
    - https://owasp.org/www-project-secure-headers/#x-xss-protection
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
  tags: xss,misconfig,generic
  metadata:
    max-request: 1

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:

      - type: regex
        part: header
        regex:
          - "(?i)x-xss-protection: 0"
        negative: true

      - type: regex
        part: header
        regex:
          - "(?i)x-xss-protection: 1+"

    extractors:
      - type: kval
        part: header
        kval:
          - x_xss_protection

# Enhanced by mp on 2022/09/15
Merge branch 'master' into dev 2022-09-22 07:28:46 +00:00			`id: xss-deprecated-header`
detect deprecated XSS Protection headers 2022-05-16 16:12:06 +00:00
			`info:`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`name: XSS-Protection Header - Cross-Site Scripting`
detect deprecated XSS Protection headers 2022-05-16 16:12:06 +00:00			`author: joshlarsen`
Update xss-deprecated-header.yaml 2022-09-21 08:50:57 +00:00			`severity: info`
Dashboard Content Enhancements (#5436) Dashboard Content Enhancements 2022-09-21 21:42:27 +00:00			description: Setting the XSS-Protection header is deprecated. Setting the header to anything other than `0` can actually introduce an XSS vulnerability.
detect deprecated XSS Protection headers 2022-05-16 16:12:06 +00:00			`reference:`
			`- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection`
			`- https://owasp.org/www-project-secure-headers/#x-xss-protection`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00			`classification:`
Dashboard Content Enhancements (#5436) Dashboard Content Enhancements 2022-09-21 21:42:27 +00:00			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N`
			`cvss-score: 0.0`
Update xss-deprecated-header.yaml 2022-05-17 08:06:53 +00:00			`tags: xss,misconfig,generic`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
detect deprecated XSS Protection headers 2022-05-16 16:12:06 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
detect deprecated XSS Protection headers 2022-05-16 16:12:06 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`

			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`part: header`
			`regex:`
			`- "(?i)x-xss-protection: 0"`
			`negative: true`

			`- type: regex`
			`part: header`
			`regex:`
			`- "(?i)x-xss-protection: 1+"`

			`extractors:`
			`- type: kval`
			`part: header`
			`kval:`
Update xss-deprecated-header.yaml 2022-05-17 08:06:53 +00:00			`- x_xss_protection`
Dashboard Content Enhancements (#5372) Dashboard Content Enhancements 2022-09-16 19:50:10 +00:00
			`# Enhanced by mp on 2022/09/15`