Ask about Templet and false positive

[uskolor]

hi Team

I would like ask about Templates for Nuclei .I do not understand why this template during probe some website a lot time show my false positive xss .How to reduce false positive .What is wrong .?

http:
  - method: GET
    path:
      - '{{BaseURL}}/?q=<script>alert(1);</script>'
      
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "<script>alert(/{{randstr}}/);</script>"
        part: body

      - type: word
        words:
          - "text/html"
        part: header

[GeorginaReeder]

Hi @uskolor ! Thanks for your question.

@dwisiswant0 is there anything we can do to help here?

[uskolor]

Yes it is .Please about some tips ,any answered how to fix .How to reduce false positive .I use this Template for looking XSS .What I should change in this Template to reduce false positive responds. from server ?

https://raw.githubusercontent.com/Akokonunes/Private-Nuclei-Templates/main/CVE-2018-18775.yaml

[dwisiswant0]

To avoid false-positive results, make sure the template has unique matchers. For example, you could add a matcher for a response header that is specific to a certain server, or add a matcher for an HTML element that is unique to a particular technology. Basically, you need to set certain parameters or conditions that can exactly identify the technology or the server you are dealing with. This way, the matcher condition isn't weak and won't produce false positives. It's about making your conditions more specific, so you can be confident that you get reliable and accurate matches and avoid broad or generic results.

[uskolor]

ok but matcher for me is "payload" . May you put here any example .?

matchers-condition: and
matchers:
- type: status
status:
- 200

  - type: word
    words:
      - "<script>alert(1);</script>"
    part: body

[dwisiswant0]

See these templates for your reference:

• http/cves/2022/CVE-2022-40359.yaml
• http/cves/2023/CVE-2023-44393.yaml
• http/cves/2024/CVE-2024-4348.yaml

[uskolor]

OK but on this 3 template I see only additional information put to matchers like .

      - "<script>alert(document.domain);</script>"
      - "x_kfm_changeCaption"        <--------------------------
      - "kfm_copyFiles"                     <--------------------------
    condition: and


      - "<script>prompt(document.domain)</script>"
      - "The plugin has been successfully copied" <--------------------
    condition: and

• type: word
  part: body
  words:
  - "<ScRiPt>alert('document_domain')</ScRiPt>"
  - "Listing of all products on the site" <------------------------
  condition: and

How I should to know what matchers on Scan website should be .? and I should put in my Templates to reduce false positive. ?

for ex. for this Nuclei will see words like plugin and this will be conformation XSS fire up . This is correct or thinking or not .!!!!

/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=nfez2%22%3E%3Cscript%3Eprompt(document.domain)%3C%2fscript%3Ehkugi

words:
- "<script>prompt(document.domain)</script>"
- "The plugin has been successfully copied"
condition: and

[prototype0987]

To reduce false positives with the Nuclei template, consider refining the matchers. False positives often occur due to the template detecting benign behavior as an issue. You could try adding more specific conditions or adjusting the word matchers to be less generic. Additionally, using more targeted payloads could help reduce these occurrences. If this template is for probing XSS vulnerabilities in a prototype web application, ensure that the web server response is consistent and not triggering false alerts.