nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

fix: template for CVE-2021-30151

Open pentesttools-com opened this issue 9 months ago • 2 comments

Template / PR Information

  • Fixed CVE-2021-30151

The template checked only if the payload was present in the response and not if it's actually an XSS. Now, the detection injects a payload that outputs a string, and matches only when the string is found in the page.

Template Validation

I've validated this template locally?

  • [x] YES
  • [ ] NO

pentesttools-com avatar Sep 26 '23 06:09 pentesttools-com

Hi @pentesttools-com,

The response time for this PR was much longer than usual. Thank you for taking the time to fix the template. However, the document.write would only work when the URL is rendered in a headless browser. Since the template isn't using headless, it wouldn't work and would simply match any host that reflects the string. Did you get any false positive results from this template? If yes, then we can consider using a stricter matcher.

princechaddha avatar Oct 28 '23 07:10 princechaddha

Hi!

No worries! Thanks for making time to respond here.

Yes, we've got false positives with this template. In our case the code would be injected inside a place of the HTML where the javascript code wouldn't be run. That's why I was thinking to use document.write and then match for the expected output rather than matching for the javascript code. Because we match using "\n" instead of "<br>" it shouldn't get tricked by a host that simply reflects the given string.

pentesttools-com avatar Oct 31 '23 09:10 pentesttools-com