nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

URL Query Parameter Fuzzing support

Open ehsandeep opened this issue 3 years ago • 2 comments

Please describe your feature request:

  • Support for arbitrary query / parameter fuzzing

Describe the use case of this feature:

Currently nuclei supports pre-defined url fuzzing where one can define what paths or parameter to be fuzzed, current support can be extended to fuzz arbitrary query parameters with defined values to find well known security vulnerabilities such as redirects, xss, ssrf, rce, sqli and more.

Here is minimal example template for query parameter fuzzing:

id: url-fuzz

info:
  name: basic url fuzz
  author: pdteam
  severity: info

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    payloads:
      rce:
        - "fuzz_1"
        - "fuzz_2"

    fuzz:
      - payload:
          - "{{rce}}"

./nuclei -u https://example.com/?img=123&src=example -t query-fuzz.yaml -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.7

    projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.7 (latest)
[INF] Using Nuclei Templates 9.1.7 (latest)
[INF] Templates added in last update: 45
[INF] Templates loaded for scan: 1
[VER] [query-fuzz] Sent HTTP request to https://example.com/?img=fuzz_1&src=fuzz_1
[VER] [query-fuzz] Sent HTTP request to https://example.com/?img=fuzz_2&src=fuzz_2
[INF] No results found. Better luck next time!

Options available for Fuzz:

requests:
  - raw:
      - |
        GET  HTTP/1.1
        Host: {{Hostname}}

    payloads:
      ssrf:
        - "fuzz_1"

    fuzz:
      - type: replace # optional
        part: query # optional
        mode: single # optional
        replace: # optional (fuzz defined parameters only)
          - url
          - file
          - load
        payload: # required
          - "{{ssrf}}"

Fuzz options details:

type:

  • replace (default) - replaces the value of parameter with payload
  • prefix - append the payload to existing parameter value
  • postfix - prepend the payload to existing parameter value
  • infix - place the payload in between the existing parameter value

part:

  • query (default) - url query fuzz
  • header - future todo, fuzz request header key
  • body - future todo, fuzz request body parameter value
  • request - future todo, fuzz anywhere in the request (query + request + body)

mode:

  • multiple (default) - multiple / all values to be replaced at once
  • single - one parameter value to be replaced at a time

payload - value to be replaced / fuzz

ehsandeep avatar Sep 01 '22 00:09 ehsandeep

Previous related GH Issues / discussions / PR

  • https://github.com/projectdiscovery/nuclei/issues/4
  • https://github.com/projectdiscovery/nuclei/issues/1087
  • https://github.com/projectdiscovery/nuclei/discussions/726
  • https://github.com/projectdiscovery/nuclei/pull/487

ehsandeep avatar Sep 01 '22 08:09 ehsandeep

You can refer to BurpBounty https://github.com/wagiro/BurpBounty

I have studied BurpBounty for a long time, and this burpsuite plugin is very mature

But the one on github is the normal version, and there is a pro version that requires payment

You can refer to the official documentation of the pro version for ideas:

https://burpbounty.net/documentation-extension/#15-toc-title

capiton0 avatar Sep 03 '22 14:09 capiton0