2022-12-22 11:03:46 +00:00
|
|
|
id: xss-serialize-javascript
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: XSS Serialize Javascript
|
|
|
|
|
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
|
|
|
|
severity: info
|
|
|
|
|
description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
|
|
|
|
|
tags: file,nodejs,serialize,xss
|
|
|
|
|
file:
|
|
|
|
|
- extensions:
|
|
|
|
|
- all
|
|
|
|
|
matchers:
|
|
|
|
|
- type: regex
|
|
|
|
|
regex:
|
2023-06-28 05:09:08 +00:00
|
|
|
- "require\\('serialize-javascript'\\)"
|
2023-06-28 05:24:07 +00:00
|
|
|
- "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)"
|
2022-12-22 11:03:46 +00:00
|
|
|
condition: or
|
|
|
|
|
|
|
|
|
|
- type: regex
|
|
|
|
|
negative: true
|
|
|
|
|
regex:
|
2023-06-28 05:09:08 +00:00
|
|
|
- "escape\\(.*?\\)"
|
|
|
|
|
- "encodeURI\\(.*?\\)"
|
2022-12-22 11:03:46 +00:00
|
|
|
condition: or
|
2023-10-20 11:41:13 +00:00
|
|
|
|
|
|
|
|
# digest: 4b0a00483046022100c969127d5164e847745c08918d013ec03653d1ebd3df975a2ebba346eabc86ca022100eb6452e18b4c019fede7e45505c43395c0a854ec7842beb502dfed933b126877:922c64590222798bb761d5b6d8e72950
|
