Skip to content

[FALSE-POSITIVE] addeventlistener-detect #11589

Closed
Closed
[FALSE-POSITIVE] addeventlistener-detect#11589
Assignees
ritikchaddha
Labels
DoneReady to mergefalse-positiveNuclei template reporting invalid/unexpected result
@eboese

Description

@eboese
eboese
opened on Feb 6, 2025

Template IDs or paths

- http/miscellaneous/addeventlistener-detect.yaml

Environment



Steps To Reproduce


    

  1. Run nuclei on a website with an addEventlistener function in js
    2. 



Relevant dumped responses




Anything else?


The template is wrong and misleading per se. The description talks about an xss vulnerability and refers to a portswigger article to emphasise this statement. In addition, this template has a cvss score, although it should be purely informative, as it only makes a simple regex match on addeventlistener.

Furthermore, the link to the portswigger article is misleading, as this special use case is only applicable in case of a mishandled postMessage event.


My suggestion would be to change the description of the template (addEventlistener detection as a template is fine in my opinion as a lot could go wrong here, but it should be purely informative) and to remove the cvss score.
Metadata
Metadata
Assignees
Labels
DoneReady to mergefalse-positiveNuclei template reporting invalid/unexpected result
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions