response discrepancy issue with headless protocol

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.

https://docs.projectdiscovery.io/tools/nuclei

MIT License

20.56k stars 2.5k forks source link

response discrepancy issue with headless protocol #3923

Open ehsandeep opened 1 year ago

ehsandeep commented 1 year ago

Nuclei version:

latest, dev

Current Behavior:

headless response with encoded html tags

Expected Behavior:

same as actual dom

Steps To Reproduce:

echo "http://pdteam.amanrawat.in/xss.html?q=test" | ./nuclei -t dom-xss.yaml -headless -debug

id: dom-xss

info:
  name: DOM Cross Site Scripting
  author: theamanrawat
  severity: medium
  tags: xss,dom,dast

variables:
  first: "{{rand_int(10000, 99999)}}"

headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}"
      - action: waitload

    payloads:
       reflection:
        - "'\"><{{first}}"

    fuzzing:
      - part: query
        type: postfix
        mode: single
        fuzz:
          - "{{reflection}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{reflection}}"

      - type: word
        part: header
        words:
          - "text/html"

ehsandeep commented 1 year ago

Another example is where the actual response is HTML encoded and nuclei see it as unencoded.

test2.yaml

```yaml id: reflected-xss info: name: test author: test severity: info headless: - steps: - args: url: "{{BaseURL}}" action: navigate - action: waitload fuzzing: - part: query type: postfix mode: single fuzz: - '">' matchers: - type: word part: body words: - ">" ```

nuclei -t test2.yaml -u 'https://activities.marriott.com/berlin-p/things-to-do?query=ID%3A0PG28IPO005H4"><pwnd>' -headless

Original response:

Nuclei headless in debug mode:

iambouali commented 1 year ago

Hello @tarunKoyalwar, any update on this?

MetzinAround commented 11 months ago

Hi @ehsandeep. Bumping this to see if there's any update on the progress of this bug.

Mzack9999 commented 11 months ago

I don't think this is a bug but rather the standard behaviour of browsers. The code visible within the browser preview of the DOM is a fake version of the raw unescaped one. Under the hoods the real raw code is the same retrieved by nuclei. Still within the code it would be appropriate to change:

html, err := page.Page().Element("html")
if err == nil {
    responseBody, _ = html.HTML()
}

to just (ref. https://github.com/go-rod/rod/issues/897)

html, err := page.Page().Html()

This can be verified by manually copying from the browser the expected version and pasting it on any editor (like sublimetext), the copied data should match the nuclei unencoded/unescaped one.

iambouali commented 11 months ago

If it is not a bug, then the template is not correct and the match should follow the pattern of this response:

<rnd></rnd> when input is "><rnd>

iambouali commented 11 months ago

In my opinion it is fine like this, the issue seems in the template :)