PR

Summary

Implements an XSS context analyzer (xss_context) that integrates with nuclei’s existing fuzzing pipeline, following the same pattern as the time_delay analyzer.

How it works

  1. Canary injection: Replaces [XSS_CANARY] with a unique canary string appended with XSS-critical characters (<>"'/) to detect reflection and character survival
  2. Context detection: Uses golang.org/x/net/html tokenizer to classify where the canary is reflected into one of 8 context types:
    • HTMLText — between HTML tags
    • Attribute — inside a quoted attribute value
    • AttributeUnquoted — inside an unquoted attribute value
    • Script — inside a <script> block (not in a string)
    • ScriptString — inside a JavaScript string literal
    • Style — inside a <style> block
    • HTMLComment — inside an HTML comment
    • None — no actionable context
  3. Character survival: Detects which special characters (<, >, ", ', /) survive server-side encoding
  4. Payload replay: Selects context-appropriate XSS payloads filtered by surviving characters, replays them, and verifies unencoded reflection
  5. CSP awareness: Notes Content-Security-Policy presence that may limit exploitability

Files

New files:

  • pkg/fuzz/analyzers/xss/types.go — context types, character set, event handler map
  • pkg/fuzz/analyzers/xss/context.go — HTML tokenizer-based context detection
  • pkg/fuzz/analyzers/xss/analyzer.go — main analyzer with canary injection, replay, and verification
  • pkg/fuzz/analyzers/xss/context_test.go — 30+ test cases and 2 benchmarks

Modified files:

  • pkg/fuzz/analyzers/analyzers.go — added ResponseBody, ResponseHeaders, ResponseStatusCode to Options; made random thread-safe
  • pkg/protocols/http/http.go — blank import to register the xss analyzer
  • pkg/protocols/http/request.go — pass HTTP response data to analyzer
  • pkg/protocols/http/request_fuzz.go — initialize nil Parameters map for canary storage

Usage

fuzzing:

  - part: query

    type: replace

    fuzz:

      - "[XSS_CANARY]"

    analyzer:

      name: xss_context

Test plan

  • Unit tests for context detection across all 8 context types
  • Tests for character survival detection
  • Tests for payload selection per context
  • Tests for edge cases (RCDATA elements, case insensitivity, multiple contexts, event handlers)
  • Benchmarks for context detection performance
  • Integration test with live fuzzing target

/claim #5838

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

    • Added XSS vulnerability detection with context-aware payload analysis.
    • Enhanced HTTP response capture to store response body, headers, and status code.

  • Tests

    • Added comprehensive test suite for XSS reflection detection across multiple contexts.

  • Refactor

    • Improved thread-safety for random utility operations in the fuzzing framework.

Claim

Total prize pool $200
Total paid $0
Status Pending
Submitted March 01, 2026
Last updated March 01, 2026

Contributors

DE

dejan1007

@dejan1007

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$200