漏洞描述
Detects DOM-based Cross Site Scripting (XSS) vulnerabilities.
dom-xss: DOM Cross Site Scripting
PoC代码[已公开]
id: dom-xss
info:
name: DOM Cross Site Scripting
author: theamanrawat,AmirHossein Raeisi,dwisiswant0
severity: medium
description: |
Detects DOM-based Cross Site Scripting (XSS) vulnerabilities.
impact: |
Allows attackers to execute malicious scripts in the victim's browser.
remediation: |
Sanitize and validate user input to prevent script injection.
tags: xss,dom,dast,headless,vuln
variables:
num: "{{rand_int(10000, 99999)}}"
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}"
- action: waitdialog
name: reflected
payloads:
reflection:
- "'\"><script>alert({{num}})</script>"
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{url_encode(reflection)}}"
- part: path
type: postfix
mode: single
fuzz:
- "{{reflection}}"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- reflected == true
- reflected_message == num
condition: and
# digest: 4a0a00473045022100ab7d3e31b10ba461a1b5c8d1d880d83ed088b9d9e1f748c2f9e5a02a9873bc9d02205c4add73ab166492aa535bae434b5fe7c03e51edc0c87e158e03be50a4ad0e82:922c64590222798bb761d5b6d8e72950