Closed
Description
First of all, kudos to you for bringing the Nuclei integration. reNgine is now my go to tool 🙌
No match to any other framework I used...
Issue Summary
I came across a Stored XSS while doing vulnerability scans at the following endpoint start_scan/detail/vuln
More specifically, before the vulnerable link is rendered into the Django template in the Vulnerability Scan Results page, it's not sanitized properly, which is why if a Nuclei template or, the vulnerable link itself has an XSS payload it would get executed.
Attack scenarios:
- Malicious Nuclei template.
- Malicious page title.
Steps to Reproduce
- Perform vulnerability scan on a page with XSS payloads
- If a reflected XSS payload fire happens (or false positive)
- Example case -
https://www.test.com/?fccc0%22%3E%3Cscript%3Ealert(1)%3C/script%3E5f43d=1in vulnerable URLs - rEngine renders the script tag, and the alert gets triggered as soon as the page loads
Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?
- I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: (yes / no)
yes
Technical details
Please list out any technical details such as operating environment.
rEngine latest release deployed on Docker
Metadata
Metadata
Assignees
Labels
No labels