Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirected response matches are lost when executed from Flow #4443

Closed
tovask opened this issue Nov 29, 2023 · 0 comments · Fixed by #4582
Closed

Redirected response matches are lost when executed from Flow #4443

tovask opened this issue Nov 29, 2023 · 0 comments · Fixed by #4582
Assignees
@tarunKoyalwar @dogancanbakir
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Milestone
nuclei v3.1.4

Comments

@tovask
Copy link
Contributor

tovask commented Nov 29, 2023
edited
Loading

Nuclei version:

Nuclei Engine Version: v3.0.4

Current Behavior:

When executed from Flow, it outputs only the matches on the first request. Matches from further redirected responses are not shown.

Expected Behavior:

Output the matches for all the resonses through a redirect chain, just like when it's running normally.

Steps To Reproduce:

id: flow_matcher_bug
info:
  name: Flow matcher bug
  author: Levente Kovats
  severity: medium
  description: Matches from further redirected responses are lost when executed from Flow
  reference:
      - https://docs.projectdiscovery.io/templates/protocols/http/basic-http
      - https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections

flow: http();

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    redirects: true # Follow HTTP redirects
    
    matchers:
      # detects the final page that does not redirect any further
      - type: status
        status:
          - 200

    extractors:
      # export the original URL because Nuclei output the matched one, which is probably after the redirection(s)
      - type: kval
        name: original-URL
        kval:
          - host
        internal: true
      # export the status code
      - type: kval
        name: status
        kval:
          - status_code

Run it with ./nuclei -disable-update-check -target "https://httpbin.org/redirect-to?url=https%3A%2F%2Fdocs.projectdiscovery.io%2F" -templates flow_bug.yaml -v -matcher-status -follow-redirects

Without using flow it gives the expected result (the 200 status matcher got hit):

└─$ ./nuclei -disable-update-check -target "https://httpbin.org/redirect-to?url=https%3A%2F%2Fdocs.projectdiscovery.io%2F" -templates redirect_in_flow.yaml -v -matcher-status -follow-redirects

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.4

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Template flow_matcher_bug is not signed or tampered
[INF] Current nuclei version: v3.0.4 (outdated)
[INF] Current nuclei-templates version:  (outdated)
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[VER] [flow_matcher_bug] Sent HTTP request to https://httpbin.org/redirect-to?url=https%3A%2F%2Fdocs.projectdiscovery.io%2F
[flow_matcher_bug:status] [matched] [http] [medium] https://docs.projectdiscovery.io/introduction [200]

But when run it with flow: http();:

  • it outputs the result only for the first response (if there any match for that, in this case nothing)
  • when there's no match at all, not even later in the redirect chain, and executed with the -matcher-status flag, it outputs the failed status
  • when there's match later in the redirect chain (e.g.: the 200 status match on the last response), not even the failed status due to the -matcher-status flag is printed, so it seems that it hits the matcher, but the result from those later responses are lost somewhere...

Refs:

https://docs.projectdiscovery.io/templates/protocols/http/basic-http
https://github.com/projectdiscovery/nuclei/blob/dev/pkg/tmplexec/flow/flow_internal.go
https://github.com/projectdiscovery/nuclei/blob/dev/pkg/tmplexec/generic/exec.go




Side note: when following a HTTP redirection, Nuclei outputs the final URL, which is not so practical, I think, because if I run it with a big list of URLs, I need to do additional work to find out which resulted in that.
@tovask tovask added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Nov 29, 2023
@dogancanbakir dogancanbakir self-assigned this Dec 27, 2023
@tarunKoyalwar tarunKoyalwar mentioned this issue Jan 5, 2024
Merged
@tarunKoyalwar tarunKoyalwar self-assigned this Jan 5, 2024
@ehsandeep ehsandeep added this to the nuclei v3.1.4 milestone Jan 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tarunKoyalwar tarunKoyalwar

@dogancanbakir dogancanbakir

Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
nuclei v3.1.4
4 participants
@ehsandeep @tovask @tarunKoyalwar @dogancanbakir