Closed akincibor closed 1 year ago
We can also add xss to tags and maybe optimize the matchers
Hi @akincibor
Thank you for your time and contribution to this project. This seems to be a very good idea to Include a template like this in Nuclei but I am not sure If we can Include XSS payloads in the template for testing cache poisoning since it can be potentially Impactful
But I suggest using this template which is Web cache poisoning with an unkeyed header which only checks for one header with normal payload. This will be only used for detection purposes as issues like this needs manual work tested on a unique endpoint which is not visited by normal users :)
id: cache-poisoning-unkeyed-header
info:
name: Cache Poisoning
author: melbadry9,xelkomy,akincibor
severity: low
requests:
- raw:
- |
GET /?mel=9 HTTP/1.1
X-Forwarded-Prefix: cache.melbadry9.com
X-Forwarded-Host: cache.melbadry9.com
X-Forwarded-For: cache.melbadry9.com
- |
GET /?mel=9 HTTP/1.1
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "cache.melbadry9.com") == true'
I have tested this template on Portswigger lab Lab: Web cache poisoning with an unkeyed header and the template seems to be working perfect :) @princechaddha @ehsandeep
Thanks, tess
Template Information:
The base was taken from id: cache-poisoning which is just info but in some time this can be escalated to stored xss with severity high.
Nuclei Template:
This script find stored xss on REDACTED domain, here source code where it was stored (some are url encoded). This source code has generated 4 stored XSS.
And some on drupal settings: