PR

feat(fuzz): Add XSS Context Analyzer (Closes #5838)

/claim #5838

Proposed Changes

This PR implements the XSS Context Analyzer to reduce False Positives in XSS detection, as requested in issue #5838.

The analyzer parses the HTTP response body using golang.org/x/net/html to determine the specific HTML context where a payload is reflected. It then verifies if the payload is actually executable in that context.

Key Features:

  • Context-Aware Analysis: Distinguishes between HTMLBody, AttributeValue, Script, Comment, and RCDATA (textarea/title).
  • False Positive Suppression: Findings are suppressed if the payload is reflected safely (e.g., inside a string literal without escaping, or inside a comment).
  • Fast Path Optimization: Uses bytes.Contains to skip parsing if the payload is not present in the body.
  • Robust Tokenization: Uses the standard Go HTML tokenizer for accurate parsing that mimics browser behavior.

Implementation Details

  • New Package: pkg/fuzz/analyzers/context containing the core logic.
  • Integration: Integrated into pkg/protocols/http/request_fuzz.go to analyze results before reporting.
    • If a match is found by regex/DSL, the analyzer is invoked.
    • If the analyzer determines the context is safe (e.g., proper quoting or Comment context), the match is marked as false.

Proof

Comprehensive unit tests cover various XSS scenarios including Body Reflection, Attribute Breakouts, Script Execution, and Edge Cases (Comments, Textareas).

Test Output:

=== RUN   TestAnalyze

=== RUN   TestAnalyze/Basic_Body_Reflection

=== RUN   TestAnalyze/Escaped_Body

=== RUN   TestAnalyze/Attribute_Breakout

=== RUN   TestAnalyze/Attribute_Safe

=== RUN   TestAnalyze/Script_Execution

=== RUN   TestAnalyze/Script_String_Safe

=== RUN   TestAnalyze/Script_String_Breakout

=== RUN   TestAnalyze/Comment_Safe

=== RUN   TestAnalyze/Comment_Breakout

=== RUN   TestAnalyze/Textarea_Safe

=== RUN   TestAnalyze/Textarea_Breakout

=== RUN   TestAnalyze/Attribute_Name_Injection

--- PASS: TestAnalyze (0.00s)

    --- PASS: TestAnalyze/Basic_Body_Reflection (0.00s)

    --- PASS: TestAnalyze/Escaped_Body (0.00s)

    --- PASS: TestAnalyze/Attribute_Breakout (0.00s)

    --- PASS: TestAnalyze/Attribute_Safe (0.00s)

    --- PASS: TestAnalyze/Script_Execution (0.00s)

    --- PASS: TestAnalyze/Script_String_Safe (0.00s)

    --- PASS: TestAnalyze/Script_String_Breakout (0.00s)

    --- PASS: TestAnalyze/Comment_Safe (0.00s)

    --- PASS: TestAnalyze/Comment_Breakout (0.00s)

    --- PASS: TestAnalyze/Textarea_Safe (0.00s)

    --- PASS: TestAnalyze/Textarea_Breakout (0.00s)

    --- PASS: TestAnalyze/Attribute_Name_Injection (0.00s)

PASS

ok  	github.com/projectdiscovery/nuclei/v3/pkg/fuzz/analyzers/context	0.524s

Checklist

  • PR created against the correct branch (dev)
  • All checks passed (lint, unit/integration/regression tests)
  • Tests added that prove the fix is effective or feature works
  • Documentation added (Godoc comments)

Summary by CodeRabbit

  • New Features

    • Implemented context-aware analysis for XSS payloads to accurately identify where payloads are reflected within HTML structures (body, attributes, scripts, styles, comments).

  • Bug Fixes

    • Reduced false positive XSS vulnerability reports by automatically suppressing findings when payloads are confirmed to exist in safe, non-exploitable contexts.

Claim

Total prize pool $200
Total paid $0
Status Pending
Submitted February 04, 2026
Last updated February 04, 2026

Contributors

MU

Muhamad Juwandi

@MuhamadJuwandi

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$200