file-missing-nginx-xss-protection: Missing Nginx XSS Protection

日期: 2025-08-01 | 影响软件: Nginx | POC: 已公开

漏洞描述

Ensures that XSS protection is enabled in Nginx by checking for the 'X-XSS-Protection' header.

PoC代码[已公开]

id: file-missing-nginx-xss-protection

info:
  name: Missing Nginx XSS Protection
  author: pussycat0x
  severity: high
  description: |
    Ensures that XSS protection is enabled in Nginx by checking for the 'X-XSS-Protection' header.
  reference:
    - https://wiki.devsecopsguides.com/docs/checklists/nginx/
    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
  metadata:
    verified: true
  tags: audit,file,nginx,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "http"
          - "events"
        condition: and

      - type: word
        words:
          - 'add_header X-XSS-Protection'
          - 'mode=block'
        condition: and
        negative: true
# digest: 4a0a0047304502203fd4524eeb1648448330a15368b0b044eacc605b736f50597020491cf5537ab80221009089e89873ef07800646393299c6ceaaae76b666097ce8106a4ba804ce271907:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./file/audit/nginx/file-missing-nginx-xss-protection.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐