daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create addeventlistener-detect

patch-1
Ritik Chaddha 2023-03-15 21:39:51 +05:30 committed by GitHub
parent acb378430e
commit a8e77ba0b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
miscellaneous/addeventlistener-detect Normal file
View File

@ -0,0 +1,25 @@
id: addeventlistener-detect
info:
name: DOM EventListener - Cross-Site Scripting
author: yavolo,dwisiswant0
severity: info
description: EventListener contains a cross-site scripting vulnerability via the document object model (DOM). An attacker can execute arbitrary script which can then allow theft of cookie-based authentication credentials and launch of other attacks.
reference:
- https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-79
tags: xss,misc
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: regex
part: body
regex:
- (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118