nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

response discrepancy issue with headless protocol

Open ehsandeep opened this issue 1 year ago • 6 comments

Nuclei version:

latest, dev

Current Behavior:

headless response with encoded html tags

image

Expected Behavior:

same as actual dom

image

Steps To Reproduce:

echo "http://pdteam.amanrawat.in/xss.html?q=test" | ./nuclei -t dom-xss.yaml -headless -debug

id: dom-xss

info:
  name: DOM Cross Site Scripting
  author: theamanrawat
  severity: medium
  tags: xss,dom,dast

variables:
  first: "{{rand_int(10000, 99999)}}"

headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}"
      - action: waitload

    payloads:
       reflection:
        - "'\"><{{first}}"

    fuzzing:
      - part: query
        type: postfix
        mode: single
        fuzz:
          - "{{reflection}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{reflection}}"

      - type: word
        part: header
        words:
          - "text/html"

ehsandeep avatar Jul 12 '23 12:07 ehsandeep

Another example is where the actual response is HTML encoded and nuclei see it as unencoded.

test2.yaml 
id: reflected-xss

info:
  name: test
  author: test
  severity: info

headless:
  - steps:
      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

    fuzzing:
      - part: query
        type: postfix
        mode: single
        fuzz:
          - '"><pwnd>'

    matchers:
      - type: word
        part: body
        words:
          - "><pwnd>"

nuclei -t test2.yaml -u 'https://activities.marriott.com/berlin-p/things-to-do?query=ID%3A0PG28IPO005H4"><pwnd>' -headless

Original response:

image

Nuclei headless in debug mode:

image

ehsandeep avatar Jul 30 '23 13:07 ehsandeep

Hello @tarunKoyalwar, any update on this?

iambouali avatar Aug 13 '23 22:08 iambouali

Hi @ehsandeep. Bumping this to see if there's any update on the progress of this bug.

MetzinAround avatar Nov 29 '23 16:11 MetzinAround

I don't think this is a bug but rather the standard behaviour of browsers. The code visible within the browser preview of the DOM is a fake version of the raw unescaped one. Under the hoods the real raw code is the same retrieved by nuclei. Still within the code it would be appropriate to change:

html, err := page.Page().Element("html")
if err == nil {
	responseBody, _ = html.HTML()
}

to just (ref. https://github.com/go-rod/rod/issues/897)

html, err := page.Page().Html()

This can be verified by manually copying from the browser the expected version and pasting it on any editor (like sublimetext), the copied data should match the nuclei unencoded/unescaped one.

Mzack9999 avatar Nov 29 '23 17:11 Mzack9999

If it is not a bug, then the template is not correct and the match should follow the pattern of this response:

SCR-20231130-bhlf

<rnd></rnd> when input is "><rnd>

iambouali avatar Nov 29 '23 23:11 iambouali

In my opinion it is fine like this, the issue seems in the template :)

iambouali avatar Nov 29 '23 23:11 iambouali