Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add -dast flag and multiple bug fixes for dast templates #4941

Merged
merged 15 commits into from
Mar 29, 2024
Merged

add -dast flag and multiple bug fixes for dast templates #4941

merged 15 commits into from
Mar 29, 2024

Conversation

tarunKoyalwar
Copy link
Member

@tarunKoyalwar tarunKoyalwar commented Mar 25, 2024
edited
Loading

Proposed Changes

Before

  • when running dast template with multiple mode, payloads were stacked after every run instead of being reset
$  nuclei -l integration_tests/fuzz/testData/ginandjuice.proxify.yaml -im yaml -t b.yaml -fuzz -v         130 ↵

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loaded 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 9
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3%27&source=proxify%27
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3%27%22&source=proxify%27%22
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3%27%22%3B&source=proxify%27%22%3B
[INF] No results found. Better luck next time!

After

$  ./nuclei -l integration_tests/fuzz/testData/ginandjuice.proxify.yaml -im yaml -t b.yaml -dast -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 9
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3'&source=proxify'
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3"&source=proxify"
[VER] [fuzz0test] Sent HTTP request to http://127.0.0.1:8082/blog/post?postId=3;&source=proxify;
[INF] No results found. Better luck next time!

@tarunKoyalwar tarunKoyalwar self-assigned this Mar 25, 2024
@tarunKoyalwar tarunKoyalwar marked this pull request as ready for review March 25, 2024 15:42
@tarunKoyalwar tarunKoyalwar requested a review from ehsandeep March 25, 2024 15:42
@tarunKoyalwar tarunKoyalwar changed the title issue 4935 dast filters add -dast flag and multiple bug fixes for dast templates Mar 25, 2024
@tarunKoyalwar
Copy link
Member Author 

$ ./nuclei -t a.yaml -u scanme.sh

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[ssh-server-enumeration] [javascript] [info] scanme.sh:22 ["{"AlgorithmSelection":{"client_to_server_alg_group":{"cipher":"aes128-ctr","compression":"none","mac":"hmac-sha2-256"},"dh_kex_algorithm":"curve25519-sha256@libssh.org","host_key_algorithm":"ecdsa-sha2-nistp256","server_to_client_alg_group":{"cipher":"aes128-ctr","compression":"none","mac":"hmac-sha2-256"}},"Banner":"","ClientID":null,"ClientKex":null,"Crypto":null,"DHKeyExchange":{"curve25519_sha256_params":{"server_public":"JksLByu2//6pnjcij46E6ovX9XzUkE7Xu6Ctnax8HkI="},"server_host_key":{"algorithm":"ecdsa-sha2-nistp256","ecdsa_public_key":{"b":"WsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEs=","curve":"P-256","gx":"axfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpY=","gy":"T+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfU=","length":256,"n":"/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVE=","p":"/////wAAAAEAAAAAAAAAAAAAAAD///////////////8=","x":"z26Q0tpPfVKxgLHzuj0SxaECCYLqlIm5tNy3Fz5KsUw=","y":"tjGcTXlRlQy67VjJLj5iqO3X+VvGEFw2bkRSSsHHrCg="},"fingerprint_sha256":"28cdf69e089470409de139506f5f33fdcc5b747641d974da3236863aa8a98ca5","raw":"AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9ukNLaT31SsYCx87o9EsWhAgmC6pSJubTctxc+SrFMtjGcTXlRlQy67VjJLj5iqO3X+VvGEFw2bkRSSsHHrCg="},"server_signature":{"h":"mk0WH/upBHoC+NJqYA9Fj+Yu/VouaibNJfP/B4Q1ADI=","parsed":{"algorithm":"ecdsa-sha2-nistp256","value":"AAAAIQDVxji4Wi9YYmzQQfOc/c/+msf7zzGKMGeBYOPpklQXVgAAACBzzmpcB0y1u9tePWvC1Y/BJ9qF65l38tbwNvvJhc2BUw=="},"raw":"AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIQDVxji4Wi9YYmzQQfOc/c/+msf7zzGKMGeBYOPpklQXVgAAACBzzmpcB0y1u9tePWvC1Y/BJ9qF65l38tbwNvvJhc2BUw=="}},"ServerID":{"Comment":"Ubuntu-4ubuntu0.11","ProtoVersion":"2.0","Raw":"SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11","SoftwareVersion":"OpenSSH_8.2p1"},"ServerKex":{"client_to_server_ciphers":["chacha20-poly1305@openssh.com","aes128-ctr","aes192-ctr","aes256-ctr","aes128-gcm@openssh.com","aes256-gcm@openssh.com"],"client_to_server_compression":["none","zlib@openssh.com"],"client_to_server_macs":["umac-64-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512","hmac-sha1"],"cookie":"1MCxZqbogvRN/wo7mhuUow==","first_kex_follows":false,"host_key_algorithms":["rsa-sha2-512","rsa-sha2-256","ssh-rsa","ecdsa-sha2-nistp256","ssh-ed25519"],"kex_algorithms":["curve25519-sha256","curve25519-sha256@libssh.org","ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256","diffie-hellman-group16-sha512","diffie-hellman-group18-sha512","diffie-hellman-group14-sha256","kex-strict-s-v00@openssh.com"],"reserved":0,"server_to_client_ciphers":["chacha20-poly1305@openssh.com","aes128-ctr","aes192-ctr","aes256-ctr","aes128-gcm@openssh.com","aes256-gcm@openssh.com"],"server_to_client_compression":["none","zlib@openssh.com"],"server_to_client_macs":["umac-64-etm@openssh.com","umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com","hmac-sha1-etm@openssh.com","umac-64@openssh.com","umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512","hmac-sha1"]},"UserAuth":["publickey","password"]}"]

@tarunKoyalwar tarunKoyalwar mentioned this pull request Mar 25, 2024
Closed
@tarunKoyalwar tarunKoyalwar linked an issue Mar 25, 2024 that may be closed by this pull request
Non-printable characters in extractor output are inconsistently escaped #4929
Closed
@tarunKoyalwar
Copy link
Member Author

  • aws request signature templates can only be run in signed & verified templates
$ ./nuclei -t ~/Codebase/nuclei-templates/http/cloud/aws                                             

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[WRN] Found 9 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[WRN] Skipping 25 templates, HTTP Request signatures can only be used in Signed & Verified templates.
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan

@ehsandeep ehsandeep requested a review from Mzack9999 March 26, 2024 12:22
tovask
tovask reviewed Mar 26, 2024
View reviewed changes
pkg/output/format_screen.go Outdated Show resolved Hide resolved
Mzack9999
Mzack9999 requested changes Mar 26, 2024
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor suggestions

pkg/catalog/loader/loader.go Outdated Show resolved Hide resolved
pkg/fuzz/component/path.go Outdated Show resolved Hide resolved
pkg/fuzz/dataformat/kv.go Outdated Show resolved Hide resolved
pkg/fuzz/parts.go Outdated Show resolved Hide resolved
@tarunKoyalwar
Copy link
Member Author

Fix lazy eval of interactsh-url (see: #4946)

$ ./nuclei -u https://scanme.sh -t a.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

		projectdiscovery.io

[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 85
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.online
[some-exploit] [http] [critical] https://scanme.sh/bnNsb29rdXAgY28xZGtmc280N21oOGNwOGg1MTA2ODRyb2NtNHE5dWd5Lm9hc3Qub25saW5l ["nslookup co1dkfso47mh8cp8h510684rocm4q9ugy.oast.online"]

@tarunKoyalwar tarunKoyalwar requested a review from Mzack9999 March 26, 2024 14:53
Mzack9999
Mzack9999 approved these changes Mar 26, 2024
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - Might be worth considering the implementation in a follow up task of a HTTP proxy mode for RFC-compliant requests, so that DAST mode can be performed on in-flight requests transparently and nuclei could virtually support all third party apps supporting proxy, without the need of various intermediate formats like openapi

@DhiyaneshGeek DhiyaneshGeek mentioned this pull request Mar 27, 2024
Merged
2 tasks
This was referenced Mar 27, 2024
Merged
Open
@tarunKoyalwar
Copy link
Member Author

follow-up #4953

@ehsandeep ehsandeep merged commit e88889b into dev Mar 29, 2024
12 checks passed
@ehsandeep ehsandeep deleted the issue-4935-dast-filters branch March 29, 2024 08:01
@ehsandeep ehsandeep mentioned this pull request Mar 29, 2024
Open
@BrewTestBot BrewTestBot mentioned this pull request Apr 3, 2024
Merged
@ansanyuan
Copy link

Can this dast engine test post content in http packages? and headers, similar to awvs. Or can we only test the fields in GET at present, and there is little information on the Internet, so let's ask here.THX^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tovask tovask tovask left review comments

@Mzack9999 Mzack9999 Mzack9999 approved these changes

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

@tarunKoyalwar tarunKoyalwar

Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@tarunKoyalwar @ansanyuan @ehsandeep @Mzack9999 @tovask