/claim #5838

Summary

This pull request introduces a tokenizer-based XSS reflection context analyzer for the Nuclei fuzzing engine.

The analyzer inspects HTTP responses generated during fuzzing and determines the HTML context in which the injected payload (canary) is reflected. This enables more accurate XSS detection and improves payload selection for subsequent fuzzing attempts.

The implementation follows the existing Nuclei fuzz analyzer architecture and integrates cleanly into the analyzer registry.

Supported Reflection Contexts

The analyzer detects the following contexts:

• html_text
• html_attribute
• event_handler
• url_attribute
• script_executable
• script_data
• style
• html_comment

If the reflection context cannot be determined, the analyzer safely returns unknown.

Implementation Details

Key implementation points:

• Uses golang.org/x/net/html tokenizer to safely parse HTML instead of regex-based parsing.
• Extracts the injected payload marker from options.FuzzGenerated.Value.
• Sends the fuzzed request using the Nuclei analyzer HTTP client.
• Parses the response body and classifies the context of the reflected marker.
• Integrates with the existing fuzz analyzer registry.

This approach avoids false positives and ensures context classification aligns with real HTML parsing behavior.

Files Added

Summary by CodeRabbit

• New Features

  • Added an XSS analyzer that detects and classifies reflection contexts in HTTP responses (text, attributes, event handlers, URLs, scripts, styles, comments).

• Tests

  • Added comprehensive tests covering detection across varied HTML/JS contexts and edge cases.

• Documentation

  • Updated syntax and template docs to include the new analyzer name as a valid option.