Merge pull request #10253 from projectdiscovery/servicenow-title-injection

Service Now - Title Injection
2024-07-15 10:16:11 +05:30 · 2024-07-15 10:16:11 +05:30 · a0484bf281
parent e9c5ae4bf5 cc3bb11f76
commit a0484bf281
1 changed files with 44 additions and 0 deletions
--- a/http/misconfiguration/servicenow-title-injection.yaml
+++ b/http/misconfiguration/servicenow-title-injection.yaml
@ -0,0 +1,44 @@
+id: servicenow-title-injection
+
+info:
+  name: Service Now - Title Injection
+  author: DhiyaneshDk
+  severity: high
+  reference:
+    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
+  classification:
+    cpe: cpe:2.3:a:servicenow:servicenow:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: servicenow
+    product: servicenow
+    shodan-query:
+      - http.favicon.hash:1701804003
+      - http.title:"servicenow"
+    fofa-query:
+      - icon_hash=1701804003
+      - title="servicenow"
+    google-query: intitle:"servicenow"
+  tags: cve,cve2024,servicenow,injection
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login.do?jvar_page_title=<style><foo>Injected Title</foo></style>"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title><style><foo>Injected Title</foo></style></title>'
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200