Multiple bug fixes in query param fuzzing #4925

tarunKoyalwar · 2024-03-20T18:55:47Z

Proposed Changes

fuzz: check and handle typed slice
do not query encode params + fuzz/allow duplicates params
use ordered params and maintain query param order

allow optional support for fuzzing duplicated param using indexes _1 , _2 . see

Lines 23 to 33 in f1fc62e

    
           // == Handling Duplicate Query Parameters / Form Data == 
        
           // Nuclei supports fuzzing duplicate query parameters by internally normalizing 
        
           // them and denormalizing them back when creating request this normalization 
        
           // can be leveraged to specify custom fuzzing behaviour in template as well 
        
           // if a query like `?foo=bar&foo=baz&foo=fuzzz` is provided, it will be normalized to 
        
           // foo_1=bar , foo_2=baz , foo=fuzzz (i.e last value is given original key which is usual behaviour in HTTP and its implementations) 
        
           // this way this change does not break any existing rules in template given by keys-regex or keys 
        
           // At same time if user wants to specify 2nd or 1st duplicate value in template, they can use foo_1 or foo_2 in keys-regex or keys 
        
           // Note: By default all duplicate query parameters are fuzzed 
        
           type Form struct{}

tarunKoyalwar · 2024-03-20T21:56:35Z

Before

$  nuclei -u "https://example.com/test/view.action?ids=AA&ids=BB&ids=CC&ids=DD" -t ~/fuzzing-templates/xss/reflected-xss.yaml -fuzz -debug-req 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.7.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 126
[INF] Templates loaded for current scan: 1
[WRN] Loaded 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[ERR] unknown type []string for value [AA BB CC DD]
[INF] [reflected-xss] Dumped HTTP request for https://example.com/test/view.action

GET /test/view.action HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.43
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[ERR] unknown type []string for value [AA BB CC DD]
[INF] No results found. Better luck next time!

After fix / Improvements

$  ./nuclei -u "https://example.com/test/view.action?ids=AA&ids=BB&ids=CC&ids=DD" -t ~/fuzzing-templates/xss/reflected-xss.yaml -fuzz -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.7.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 126
[INF] Templates loaded for current scan: 1
[WRN] Loaded 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [reflected-xss] Dumped HTTP request for https://example.com/test/view.action?ids=AA'"><64250&ids=BB&ids=CC&ids=DD

GET /test/view.action?ids=AA'"><64250&ids=BB&ids=CC&ids=DD HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[INF] [reflected-xss] Dumped HTTP request for https://example.com/test/view.action?ids=AA&ids=BB'"><64250&ids=CC&ids=DD

GET /test/view.action?ids=AA&ids=BB'"><64250&ids=CC&ids=DD HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[INF] [reflected-xss] Dumped HTTP request for https://example.com/test/view.action?ids=AA&ids=BB&ids=CC'"><64250&ids=DD

GET /test/view.action?ids=AA&ids=BB&ids=CC'"><64250&ids=DD HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[INF] [reflected-xss] Dumped HTTP request for https://example.com/test/view.action?ids=AA&ids=BB&ids=CC&ids=DD'"><64250

GET /test/view.action?ids=AA&ids=BB&ids=CC&ids=DD'"><64250 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

tarunKoyalwar added 2 commits March 20, 2024 21:29

fuzz: check and handle typed slice

9dbaef1

do not query encode params + fuzz/allow duplicates params

c915276

tarunKoyalwar self-assigned this Mar 20, 2024

tarunKoyalwar added 2 commits March 21, 2024 02:59

sometimes order matters ~query params

d98093b

component: fix broken iterator

f1fc62e

tarunKoyalwar marked this pull request as ready for review March 20, 2024 21:55

result upload add meta params

30d9f12

tarunKoyalwar requested a review from ehsandeep March 20, 2024 22:06

tarunKoyalwar changed the title ~~issue 4907 twice param~~ Multiple bug fixes in query param fuzzing Mar 20, 2024

tarunKoyalwar linked an issue Mar 20, 2024 that may be closed by this pull request

Fuzzing templates seem to error out when url has the same parameter more than once. #4907

Closed

ehsandeep approved these changes Mar 25, 2024

View reviewed changes

ehsandeep merged commit c1bd4f8 into dev Mar 25, 2024
12 checks passed

ehsandeep deleted the issue-4907-twice-param branch March 25, 2024 04:38

ehsandeep mentioned this pull request Mar 25, 2024

filter support to dast templates #4935

Closed

2 tasks

BrewTestBot mentioned this pull request Apr 3, 2024

nuclei 3.2.3 Homebrew/homebrew-core#167929

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Multiple bug fixes in query param fuzzing #4925

Multiple bug fixes in query param fuzzing #4925

tarunKoyalwar commented Mar 20, 2024 •

edited

Loading

tarunKoyalwar commented Mar 20, 2024

	// == Handling Duplicate Query Parameters / Form Data ==
	// Nuclei supports fuzzing duplicate query parameters by internally normalizing
	// them and denormalizing them back when creating request this normalization
	// can be leveraged to specify custom fuzzing behaviour in template as well
	// if a query like `?foo=bar&foo=baz&foo=fuzzz` is provided, it will be normalized to
	// foo_1=bar , foo_2=baz , foo=fuzzz (i.e last value is given original key which is usual behaviour in HTTP and its implementations)
	// this way this change does not break any existing rules in template given by keys-regex or keys
	// At same time if user wants to specify 2nd or 1st duplicate value in template, they can use foo_1 or foo_2 in keys-regex or keys
	// Note: By default all duplicate query parameters are fuzzed

	type Form struct{}

Multiple bug fixes in query param fuzzing #4925

Multiple bug fixes in query param fuzzing #4925

Conversation

tarunKoyalwar commented Mar 20, 2024 • edited Loading

Proposed Changes

tarunKoyalwar commented Mar 20, 2024

Before

After fix / Improvements

tarunKoyalwar commented Mar 20, 2024 •

edited

Loading