id: fuzz-header-basic

info:
  name: fuzz header basic
  author: pdteam
  severity: info
  description: |
    In this template we check for any reflection when fuzzing Origin header

variables:
  first: "{{rand_int(10000, 99999)}}"

http:
  - raw:
      - |
        GET /?x=aaa&y=bbb HTTP/1.1
        Host: {{Hostname}}
        Origin: https://example.com
        X-Fuzz-Header: 1337
        Cookie: z=aaa; bb=aaa
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
        Accept-Language: en-US,en;q=0.9
        Connection: close

    payloads:
      reflection:
        - "'\"><{{first}}"

    fuzzing:
      - part: headers
        type: replace
        mode: single
        keys: ["Origin"]
        fuzz:
          - "{{reflection}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{reflection}}"

      - type: word
        part: header
        words:
          - "text/html"