Create express-xss.yaml
parent
df72420cb0
commit
419aebda71
|
@ -0,0 +1,48 @@
|
||||||
|
id: express-xss
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Express XSS
|
||||||
|
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
||||||
|
severity: info
|
||||||
|
description: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
|
||||||
|
tags: file,nodejs,express,xss
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "function \\($REQ, $RES, ...\\) {...}"
|
||||||
|
- "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}"
|
||||||
|
- "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}"
|
||||||
|
- "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\;"
|
||||||
|
- "\\$APP\\.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\)"
|
||||||
|
- "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)"
|
||||||
|
- "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)"
|
||||||
|
- "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)"
|
||||||
|
- "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
|
||||||
|
- "\\$RES\\.write\\(..., <... $LOCALVAR ...>, ...\\)"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
|
||||||
|
- "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;"
|
||||||
|
- "\\$RES\\.write\\(..., <... \\$LOCALVAR ...>, ...\\)"
|
||||||
|
- "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;"
|
||||||
|
- "\\$RES\\.send\\(..., <... \\$LOCALVAR ...>, ...\\)"
|
||||||
|
- "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY ...>\\;"
|
||||||
|
- "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;"
|
||||||
|
- "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>}\\;"
|
||||||
|
- "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>}\\;"
|
||||||
|
- "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;"
|
||||||
|
- "\\$LOCALVAR\\.push\\(<... \\$REQ\\.\\$QUERY ...>\\)"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
|
||||||
|
- "\\$ARR\\.push\\(<... \\$LOCALVAR ...>\\)"
|
||||||
|
- "\\$RES\\.write\\(..., <... \\$ARR ...>, ...\\)"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
|
||||||
|
- "\\$RES\\.send\\(..., <... \\$ARR ...>, ...\\)"
|
||||||
|
- "\\$RES\\.write\\(..., <... \\$OUT ...>, ...\\)"
|
||||||
|
- "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;"
|
||||||
|
- "\\$OUT = <... \\$LOCALVAR ...>\\;"
|
||||||
|
condition: or
|
Loading…
Reference in New Issue