2024-03-16 18:44:49 +00:00
|
|
|
id: reflected-xss
|
|
|
|
|
|
|
|
|
|
info:
|
2024-06-05 07:21:31 +00:00
|
|
|
name: Reflected Cross-Site Scripting
|
|
|
|
|
author: pdteam,0xKayala
|
2024-03-16 18:44:49 +00:00
|
|
|
severity: medium
|
2024-06-07 10:04:29 +00:00
|
|
|
metadata:
|
|
|
|
|
max-request: 1
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: xss,rxss,dast
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
variables:
|
|
|
|
|
first: "{{rand_int(10000, 99999)}}"
|
|
|
|
|
|
|
|
|
|
http:
|
2024-03-31 19:55:42 +00:00
|
|
|
- pre-condition:
|
2024-03-26 07:21:56 +00:00
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- 'method == "GET"'
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
|
reflection:
|
2024-06-14 13:37:34 +00:00
|
|
|
- "'\"><{{first}}>"
|
|
|
|
|
- "'><{{first}}>"
|
|
|
|
|
- "\"><{{first}}>"
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
|
- part: query
|
|
|
|
|
type: postfix
|
|
|
|
|
mode: single
|
|
|
|
|
fuzz:
|
|
|
|
|
- "{{reflection}}"
|
|
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body
|
|
|
|
|
words:
|
|
|
|
|
- "{{reflection}}"
|
|
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
|
part: header
|
|
|
|
|
words:
|
2024-06-14 13:37:34 +00:00
|
|
|
- "text/html"
|
2024-06-15 06:26:50 +00:00
|
|
|
# digest: 4b0a00483046022100fe9d1b6a33bc101017c0dabac57b282164ad7a316747fb641b1be7dd534178b2022100b1b90ca968e766279c306212b849ce875ae2beaced34248794387b56192c1878:922c64590222798bb761d5b6d8e72950
|
