Is there an existing issue for this?
Current Behavior
While reviewing the XSS context analyzer introduced in PR #7076,
I noticed a few context-classification edge cases that may impact detection accuracy.
Observed cases:
-
javascript: URIs inside attributes are classified as ContextAttribute
instead of ContextScript.
Example:
-
<script type="application/json"> blocks are treated as executable script context.
Example:
<script type="application/json">nucleiXSScanary</script>
-
Reflection detection is case-sensitive, which may miss transformed
reflections in responses.
-
srcdoc attributes allow full HTML injection but are currently treated
as simple attribute contexts.
Expected Behavior
These cases should be classified more accurately:
javascript: URIs should be treated as executable script context.<script type="application/json"> blocks should not be treated as executable.- Reflection detection should not depend on case.
srcdoc should be treated as HTML injection context.
Improving these cases would reduce false positives and improve fuzzing precision.
Steps To Reproduce
-
Use an HTTP response containing:
-
Trigger XSS fuzzing analyzer.
-
Observe context classification result.
The current classification marks it as ContextAttribute instead of ContextScript.
Relevant log output
No runtime errors observed.
Issue relates to context classification logic in pkg/fuzz/analyzers/xss/context.go
Environment
- OS: Ubuntu (Linux)
- Nuclei: dev branch (local build, not installed globally)
- Go: go1.22.2
Anything else?
I have prepared a minimal patch locally with regression tests
addressing these cases and can open a PR if maintainers agree
with this direction.
Is there an existing issue for this?
Current Behavior
While reviewing the XSS context analyzer introduced in PR #7076,
I noticed a few context-classification edge cases that may impact detection accuracy.
Observed cases:
javascript:URIs inside attributes are classified asContextAttributeinstead of
ContextScript.Example:
<script type="application/json">blocks are treated as executable script context.Example:
<script type="application/json">nucleiXSScanary</script>Reflection detection is case-sensitive, which may miss transformed
reflections in responses.
srcdocattributes allow full HTML injection but are currently treatedas simple attribute contexts.
Expected Behavior
These cases should be classified more accurately:
javascript:URIs should be treated as executable script context.<script type="application/json">blocks should not be treated as executable.srcdocshould be treated as HTML injection context.Improving these cases would reduce false positives and improve fuzzing precision.
Steps To Reproduce
Use an HTTP response containing:
Trigger XSS fuzzing analyzer.
Observe context classification result.
The current classification marks it as ContextAttribute instead of ContextScript.
Relevant log output
No runtime errors observed. Issue relates to context classification logic in pkg/fuzz/analyzers/xss/context.goEnvironment
Anything else?
I have prepared a minimal patch locally with regression tests
addressing these cases and can open a PR if maintainers agree
with this direction.