feat(fuzz): add XSS context analyzer for reflection-based detection#7072
Open
teredasites wants to merge 2 commits intoprojectdiscovery:devfrom
Open
feat(fuzz): add XSS context analyzer for reflection-based detection#7072teredasites wants to merge 2 commits intoprojectdiscovery:devfrom
teredasites wants to merge 2 commits intoprojectdiscovery:devfrom
Conversation
Hosts on platforms like Shodan sometimes act as honeypots by returning
responses that match many unrelated nuclei templates, producing noisy
false positives. This adds per-host tracking of unique template matches
and flags hosts that exceed a configurable threshold.
New CLI flags (in output group):
-honeypot-threshold / -hpt : unique match count before flagging (0=off)
-honeypot-suppress / -hpsu : suppress results from flagged hosts
Implementation:
- pkg/honeypot: self-contained Detector with thread-safe tracking,
host normalization (URL/host:port/IPv6), memory cleanup after
flagging, warn-once logging, and end-of-scan summary
- pkg/output: integrates detector into StandardWriter.Write() to
record matches and optionally suppress output
- pkg/types: adds HoneypotThreshold and HoneypotSuppress options
- cmd/nuclei: registers the two new CLI flags
Closes projectdiscovery#6403
…ty detection Implement a new "xss_context" analyzer for the nuclei fuzzing engine that detects reflected XSS vulnerabilities through HTML parsing context analysis. The analyzer works in three phases: 1. Canary injection: sends a marker with special characters to detect which chars survive server-side filtering 2. Context detection: uses the Go HTML tokenizer to classify each reflection point into one of 8 contexts (html_text, attribute, attribute_unquoted, script, script_string, style, html_comment, or none) 3. Payload selection & replay: picks context-appropriate payloads whose required characters survived, replays them, and verifies the response contains unencoded executable content Key design decisions: - Zero-allocation event handler detection using stack-allocated byte buffers with bitwise case folding - Windowed character survival detection scoped to the token containing the marker, avoiding false positives from unrelated page content - Proper tag stack management with name-matched popping for nested elements - Component state save/restore in the replay path to avoid corrupting the original fuzz state for subsequent payloads - Conservative fallback: drainRemainingReflections catches markers in malformed/truncated HTML that the tokenizer missed Integration points: - Extends analyzers.Options with ResponseBody, ResponseHeaders, and ResponseStatusCode fields (populated in request.go) - Registered via blank import in http.go alongside the existing time_delay analyzer - Added fuzz playground test endpoints for 6 XSS reflection contexts - Updated documentation (SYNTAX-REFERENCE.md, templates_doc.go)
Neo - PR Security ReviewNo security issues found Highlights
Hardening Notes
Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #5838
Adds a new
xss_contextanalyzer to the nuclei fuzzing engine that performs context-aware reflected XSS detection. Unlike simple regex-based checks, this analyzer parses the HTML response with Go's tokenizer to determine where user input is reflected and selects payloads that can structurally achieve script execution in that specific context.How it works
Phase 1 - Canary injection: The
[XSS_CANARY]placeholder in the fuzzing payload is replaced with a marker containing special characters (<>"'/). After the server processes the request, we check which characters survived encoding/filtering.Phase 2 - Context detection: The HTML tokenizer walks the response and classifies each reflection into one of 8 contexts:
html_text- between tags (needs<script>or event handler injection)attribute/attribute_unquoted- inside attribute values (needs quote breakout)script/script_string- inside<script>blocks or JS string literalshtml_comment- inside<!-- -->(needs-->breakout)style- inside<style>blocks (needs</style>breakout)Phase 3 - Payload replay & verification: For each reflection point, payloads are filtered by character requirements (no point sending
<script>if<is encoded). Surviving payloads are replayed through the original fuzz component and the response is checked for unencoded executable content.Key design decisions
isEventHandler()check across 80+ event handlersdrainRemainingReflections()catches markers in malformed/truncated HTML that the tokenizer missedTemplate usage
Files changed
pkg/fuzz/analyzers/xss/types.gopkg/fuzz/analyzers/xss/context_detector.gopkg/fuzz/analyzers/xss/payload_selector.gopkg/fuzz/analyzers/xss/analyzer.gopkg/fuzz/analyzers/analyzers.gopkg/protocols/http/http.gopkg/protocols/http/request.gopkg/templates/templates_doc.goSYNTAX-REFERENCE.mdpkg/testutils/fuzzplayground/server.goTest coverage
47 tests covering:
/claim