PR

Context-Aware XSS Analyzer for Fuzzing Engine

Issue: #5838

This PR introduces a context-aware XSS analyzer for the fuzzing engine. It detects reflection contexts, selects payloads based on context and available characters, and verifies exploitability to reduce false positives.

Key Features

🔍 Detects:

  • HTML body
  • Quoted and unquoted attributes
  • Script blocks, strings, and template literals
  • Style blocks
  • Comments
  • URL attributes

🎯 Context-aware payload selection with:

  • Character filtering
  • Configurable maximum attempts
  • Custom canary support via [XSS_CANARY] placeholder

✅ Verification logic to:

  • Reject non-exploitable reflections
  • Handle comments safely
  • Detect encoding issues
  • Identify context mismatches

File Changes

Core Analyzer Implementation

pkg/fuzz/analyzers/xss/analyzer.go

Orchestrates probe, detection, payload selection, and verification. Implements the Analyzer interface with:

  • ApplyInitialTransformation() — Handles [XSS_CANARY] placeholder replacement
  • Analyze() — Main flow: send canary → detect contexts → select payloads → verify
  • sendRequest() — HTTP request handling with proper error handling for resp.Body.Close()
  • verifyXSS() — Confirms exploitability by checking context compatibility and encoding

pkg/fuzz/analyzers/xss/context_detector.go

  • Context detection heuristics
  • Character availability logic (well documented)

pkg/fuzz/analyzers/xss/payload_selector.go

  • Context-specific payload sets
  • Filtering rules

pkg/fuzz/analyzers/xss/types.go

Includes context/type definitions and analyzer constants:

  • ContextType enum with 9 context types
  • ReflectionInfo struct with position, context, available chars
  • CharacterSet for tracking < > ' " / \ availability
  • DefaultCanary = "xSs9K7j<>'\"/()"
  • AnalyzerName = "xss_context"

Integration Tests

integration_tests/fuzz/fuzz-xss-context-body.yaml
Tests XSS detection in HTML body context where input reflects inside <div> tags without encoding.

integration_tests/fuzz/fuzz-xss-context-attribute.yaml
Tests XSS detection in HTML attribute context where input reflects inside value="" attributes.

integration_tests/fuzz/fuzz-xss-context-script.yaml
Tests XSS detection in JavaScript context where input reflects inside <script>var x = "..."</script>.

integration_tests/fuzz/fuzz-xss-context-encoded.yaml
Negative test case — verifies analyzer correctly identifies when XSS is not exploitable due to HTML encoding.

cmd/integration-test/fuzz.go
Added 4 test handlers that create vulnerable/safe test servers:

  • xssContextBodyFuzz — Vulnerable HTML body reflection
  • xssContextAttributeFuzz — Vulnerable attribute reflection
  • xssContextScriptFuzz — Vulnerable script context reflection
  • xssContextEncodedFuzz — Safe (encoded) reflection for negative testing

Documentation

pkg/templates/templates_doc.go

  • Added xss_context to valid analyzer names list
  • Updated parameters description to mention the canary parameter

Unit Tests

pkg/fuzz/analyzers/xss/analyzer_test.go

Comprehensive coverage including:

  • Body, attribute, script, and URL context detection
  • No-reflection handling
  • Encoded reflection handling
  • Custom canary support
  • False positive rejection in comments

pkg/fuzz/analyzers/xss/context_detector_test.go

Covers:

  • HTML body, attribute (quoted/unquoted), script, style, comment contexts
  • Multiple reflections handling
  • Case-insensitive tag detection
  • URL attribute detection (href, src, action, data, formaction, poster)
  • Script inside SVG handling
  • CDATA section handling
  • Partial encoding scenarios

pkg/fuzz/analyzers/xss/payload_selector_test.go

Tests:

  • Context-specific payload selection
  • Character filtering
  • Max verification attempts

Edge Cases Covered

  • Nested script contexts inside SVG
  • CDATA sections inside scripts
  • Partial encoding:
    • Only < encoded
    • Only > encoded
    • Quotes-only encoded
    • Mixed encoding cases
  • HTML comments (non-exploitable)
  • Context compatibility verification
  • Critical character encoding detection

Usage Example

id: xss-context-detection

info:

  name: XSS Context Analyzer

  author: pdteam

  severity: high

http:

  method: GET

  path:

    - "{{BaseURL}}"

fuzzing:

  part: query

  type: replace

  mode: single

  fuzz:

    - "[XSS_CANARY]"

analyzer:

  name: xss_context

  parameters:

    canary: "xSs9K7j<>'\"/()"

/claim #5838

Summary by CodeRabbit

  • New Features

    • Added a context-aware XSS analyzer with configurable canary, automated context detection, payload selection and verification across HTML, JS and URL contexts.

  • Tests

    • Added extensive unit and integration tests covering context detection, payload selection/filtering, verification logic, encoding and edge cases; added fuzz scenarios.

  • Documentation

    • Updated analyzer templates/docs to include the new XSS analyzer and customizable canary option.

  • Chores

    • Registered the analyzer in the HTTP workflow and applied minor test/formatting adjustments.

Claim

Total prize pool $200
Total paid $0
Status Pending
Submitted February 02, 2026
Last updated February 02, 2026

Contributors

OR

Orbin Sunny

@orbin123

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$200