nuclei-templates/file/nodejs/xss-serialize-javascript.yaml

id: xss-serialize-javascript

info:
  name: XSS Serialize Javascript
  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
  severity: info
  description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
  tags: file,nodejs,serialize,xss

file:
  - extensions:
      - all

    matchers:
      - type: regex
        regex:
          - "require\\('serialize-javascript'\\)"
          - "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)"
        condition: or

      - type: regex
        negative: true
        regex:
          - "escape\\(.*?\\)"
          - "encodeURI\\(.*?\\)"
        condition: or
Create xss-serialize-javascript.yaml 2022-12-22 11:03:46 +00:00			`id: xss-serialize-javascript`

			`info:`
			`name: XSS Serialize Javascript`
			`author: me_dheeraj (https://twitter.com/Dheerajmadhukar)`
			`severity: info`
			description: Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
			`tags: file,nodejs,serialize,xss`

			`file:`
			`- extensions:`
			`- all`

			`matchers:`
			`- type: regex`
			`regex:`
Update xss-serialize-javascript.yaml 2023-06-28 05:09:08 +00:00			`- "require\\('serialize-javascript'\\)"`
Update xss-serialize-javascript.yaml 2023-06-28 05:24:07 +00:00			`- "\\$S\\(\\.\\*?, \\{unsafe: true\\}\\)"`
Create xss-serialize-javascript.yaml 2022-12-22 11:03:46 +00:00			`condition: or`

			`- type: regex`
			`negative: true`
			`regex:`
Update xss-serialize-javascript.yaml 2023-06-28 05:09:08 +00:00			`- "escape\\(.*?\\)"`
			`- "encodeURI\\(.*?\\)"`
Create xss-serialize-javascript.yaml 2022-12-22 11:03:46 +00:00			`condition: or`