nuclei-templates/http/vulnerabilities/generic/basic-xss-prober.yaml

id: basic-xss-prober

info:
  name: Basic XSS Prober - Cross-Site Scripting
  author: nadino,geeknik
  severity: low
  description: A cross-site scripting vulnerability was discovered via generic testing. Manual testing is needed to verify exploitation.
  # Basic XSS prober
  # Manual testing needed for exploitation
  metadata:
    max-request: 1
  tags: xss,generic

http:
  - method: GET
    path:
      - "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "\"><injectable>"
        part: body

      - type: word
        words:
          - "text/html"
        part: header

      - type: status
        status:
          - 200
updated basic xss detection 2020-05-24 05:17:49 +00:00			`id: basic-xss-prober`

			`info:`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`name: Basic XSS Prober - Cross-Site Scripting`
Updated author names 2021-06-09 12:20:56 +00:00			`author: nadino,geeknik`
updated basic xss detection 2020-05-24 05:17:49 +00:00			`severity: low`
templateman update 2023-10-14 11:27:55 +00:00			`description: A cross-site scripting vulnerability was discovered via generic testing. Manual testing is needed to verify exploitation.`
Fix typo 2020-05-24 22:03:59 +00:00			`# Basic XSS prober`
			`# Manual testing needed for exploitation`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: xss,generic`
updated basic xss detection 2020-05-24 05:17:49 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
updated basic xss detection 2020-05-24 05:17:49 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e"`
matcher updates 2021-01-11 06:44:22 +00:00
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`matchers-condition: and`
updated basic xss detection 2020-05-24 05:17:49 +00:00			`matchers:`
			`- type: word`
			`words:`
Wasn't working because it was the wrong char changed the ' to " in matcher 2020-10-14 08:20:58 +00:00			`- "\"><injectable>"`
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`part: body`
Update basic-xss-prober.yaml 2020-11-02 15:25:36 +00:00
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`- type: word`
			`words:`
Update basic-xss-prober.yaml IMHO its better to test for text/html to report a possible XSS, there are a more content types that could cause reflect the content and dont have a XSS. like javascript, css, plaintext files, etc. 2020-12-02 03:11:07 +00:00			`- "text/html"`
Update basic-xss-prober.yaml Hoping to cut down on false positives by ignoring reflections from JSON API endpoints 2020-11-02 15:04:05 +00:00			`part: header`
matcher updates 2021-01-11 06:44:22 +00:00
			`- type: status`
			`status:`
Update basic-xss-prober.yaml 2021-08-11 07:37:17 +00:00			`- 200`