PR

Summary

Fixes #7086 — adds a new XSS context analyzer that uses golang.org/x/net/html tokenizer to accurately classify where user input is reflected in HTML responses.

Addresses all 4 issues from #7086:

  • javascript: URI detection in href/src/action attributes
  • ✅ Non-executable script type identification (application/json, importmap, etc.)
  • ✅ Case-insensitive tag/attribute matching
  • srcdoc attribute handling as nested HTML context

What’s included:

  • New xss analyzer package (pkg/fuzz/analyzers/xss/) with 8 reflection contexts
  • Character availability analysis for payload generation
  • 46 tests covering all contexts and edge cases (all passing)
  • Integration with existing analyzer framework via init() registration
  • ResponseBody and ResponseHeaders fields added to analyzers.Options

Implementation Details

The analyzer uses Go’s golang.org/x/net/html tokenizer to parse HTML and detect reflection contexts:

  • ContextHTMLText — between tags
  • ContextAttribute — inside attribute values
  • ContextScript — inside executable <script> blocks
  • ContextComment — inside HTML comments
  • ContextTag — inside tag definitions
  • ContextStyle — inside <style> blocks
  • ContextJavascriptURI — inside javascript: URI attributes
  • ContextNonExecutableScript — inside non-executable script types (JSON, importmap)

Each reflection includes character availability analysis (<, >, ", ', etc.) to help determine viable XSS payloads.

Test plan

  • All 46 unit tests pass (go test ./pkg/fuzz/analyzers/xss/ -v)
  • Package builds cleanly (go build ./pkg/fuzz/analyzers/...)
  • HTTP protocol package builds with integration (go build ./pkg/protocols/http/...)
  • CI pipeline validation

/claim #7086

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added an XSS context analyzer to the fuzzing pipeline that detects where reflections occur, selects context-appropriate payloads, replays for verification, and reports validated findings.
    • Analyzer now receives response body and headers during analysis for richer verification and more accurate detection.

  • Tests

    • Added extensive unit tests and benchmarks covering reflection/context detection, payload selection, character-survival, replay verification, and many HTML/script edge cases.

Claim

Total prize pool $100
Total paid $0
Status Pending
Submitted March 15, 2026
Last updated March 15, 2026

Contributors

KG

kgatilin

@kgatilin

 100%

Sponsors

BI

Bishnu Prasad Sahu

@mebishnusahu0595

$100