Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added fuzzing support for query params + var dump feature #2679

Merged
merged 21 commits into from
Nov 1, 2022
Merged

Added fuzzing support for query params + var dump feature #2679

merged 21 commits into from
Nov 1, 2022

Conversation

Ice3man543
Copy link
Member

@Ice3man543 Ice3man543 commented Oct 5, 2022
edited by ehsandeep
Loading

Proposed changes

Closes #2529 and #2670

Docs here - projectdiscovery/nuclei-docs#78

Example template

id: fuzz-reflection-xss

info:
  name: Basic Reflection Potential XSS Detection
  author: pdteam
  severity: low

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    payloads:
      reflection:
        - "another"
        - "test"

    fuzzing:
      - part: query
        fuzz:
          - "{{reflection}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{reflection}}"

      - type: word
        part: header
        words:
          - "text/html"

Example run

 ./nuclei -t template.yaml -u "https://example.com/?url=test&pass=new" -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.8-dev

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.8-dev (development)
[INF] Using Nuclei Templates 9.2.2 (latest)
[INF] Templates added in last update: 40
[INF] Templates loaded for scan: 1
[INF] [basic-template] Dumped HTTP request for https://example.com/?pass=new6842%27%22%3E%3C&url=test6842%27%22%3E%3C

GET /?pass=new6842%27%22%3E%3C&url=test6842%27%22%3E%3C HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@Ice3man543 Ice3man543 self-assigned this Oct 5, 2022
@Ice3man543 Ice3man543 added the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Oct 5, 2022
This was linked to issues Oct 5, 2022
URL Query Parameter Fuzzing support #2529
Closed
Add flag for variable debug dump #2670
Closed
ehsandeep
ehsandeep requested changes Oct 5, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment
edited by Ice3man543
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • payloads to support file input
  • payloads to support global dsl/variable
  • values to support global dsl/variable (nmi for why required)
  • keys to support global dsl/variable (nmi for why required)
  • uniform request block (tbd for usability)
  • mimic existing nuclei request behavior (tbd what is correct behaviour)
  • lint / build fix
  • docs update
  • keys-regex parameter add

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 5, 2022
View reviewed changes
v2/cmd/integration-test/http.go
router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
w.Header().Set("Content-Type", "text/html")
value := r.URL.Query().Get("id")
fmt.Fprintf(w, "This is test matcher text: %v", value)

Check warning

Code scanning / CodeQL

Reflected cross-site scripting

Cross-site scripting vulnerability due to [user-provided value](1).
@ehsandeep ehsandeep removed the request for review from Mzack9999 October 6, 2022 08:20
@ehsandeep ehsandeep added Status: In Progress This issue is being worked on, and has someone assigned. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels Oct 6, 2022
@ehsandeep ehsandeep mentioned this pull request Oct 11, 2022
Closed
@Mzack9999 Mzack9999 mentioned this pull request Oct 11, 2022
Open
4 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 15, 2022
View reviewed changes
v2/cmd/tools/fuzzplayground/main.go
func permissionsHandler(ctx echo.Context) error {
command := ctx.QueryParam("cmd")
fields := strings.Fields(command)
cmd := exec.Command(fields[0], fields[1:]...)

Check failure

Code scanning / CodeQL

Command built from user-controlled sources

This command depends on a [user-provided value](1).
v2/cmd/tools/fuzzplayground/main.go

func requestHandler(ctx echo.Context) error {
url := ctx.QueryParam("url")
data, err := http.Get(url)

Check failure

Code scanning / CodeQL

Uncontrolled data used in network request

The [URL](1) of this request depends on a [user-provided value](2).
v2/cmd/tools/fuzzplayground/main.go
}

func infoHandler(ctx echo.Context) error {
return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Name of user: %s%s%s", ctx.QueryParam("name"), ctx.QueryParam("another"), ctx.QueryParam("random"))))

Check warning

Code scanning / CodeQL

Reflected cross-site scripting

Cross-site scripting vulnerability due to [user-provided value](1). Cross-site scripting vulnerability due to [user-provided value](2). Cross-site scripting vulnerability due to [user-provided value](3).
v2/cmd/tools/fuzzplayground/main.go
second, _ := strconv.Atoi(trimmed[1])
text = strconv.Itoa(first * second)
}
return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Text: %s", text)))

Check warning

Code scanning / CodeQL

Reflected cross-site scripting

Cross-site scripting vulnerability due to [user-provided value](1).
v2/cmd/tools/fuzzplayground/main.go

func redirectHandler(ctx echo.Context) error {
url := ctx.QueryParam("redirect_url")
return ctx.Redirect(302, url)

Check warning

Code scanning / CodeQL

Open URL redirect

Untrusted URL redirection depends on a [user-provided value](1).
@Ice3man543 Ice3man543 requested a review from ehsandeep October 15, 2022 22:17
@Ice3man543
Copy link
Member Author

Docs here - projectdiscovery/nuclei-docs#78

@ehsandeep ehsandeep added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels Oct 25, 2022
ehsandeep
ehsandeep requested changes Oct 25, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge conflict

@ehsandeep ehsandeep requested a review from Mzack9999 October 25, 2022 18:37
@Mzack9999 Mzack9999 requested a review from ehsandeep October 30, 2022 06:59
Mzack9999
Mzack9999 requested changes Oct 30, 2022
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment
edited by ehsandeep
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - marking as "request changes" just to check if the following are known limitations:

  • Parameters with same name are flattened (eg. http://192.168.1.1/?id=1&id=2 => http://192.168.1.1/?id=fuzz)
  • replacement seems to be literal, without the capability to refer to the existing value for some custom manipulation via DSL (eg. {{md5(current_param_value+fuzz)}})

@Ice3man543
Copy link
Member Author

@Mzack9999 made the value of the parameter accessible as DSL value and also fixed the multiple keys with same name issue.

    payloads:
      reflection:
        - "1337"
   fuzzing:
      - part: query
        type: replace
        mode: single
        fuzz:
          - "{{concat(value,reflection,'somethingelse')}}"
GET /?test=new1337somethingelse HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

@Ice3man543 Ice3man543 requested a review from Mzack9999 November 1, 2022 09:09
@ehsandeep ehsandeep merged commit b9472cf into dev Nov 1, 2022
@ehsandeep ehsandeep deleted the url-query-fuzzing branch November 1, 2022 14:58
@ehsandeep ehsandeep removed the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Nov 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@Mzack9999 Mzack9999 Awaiting requested review from Mzack9999

Assignees

@Ice3man543 Ice3man543

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add flag for variable debug dump URL Query Parameter Fuzzing support
3 participants
@Ice3man543 @ehsandeep @Mzack9999