nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

The debug flags do not work correctly with headless templates

Open forgedhallpass opened this issue 3 years ago • 5 comments
trafficstars

Request and response headers are not shown when the -debug, -debug-req, -debug-resp flags are provided.

The headless action execution messages should be formatted (e.g. by adding [DBG] prefix) and some context should also be given (e.g. "Executing headless action: waitload").

It would also be nice to show the actual URL, instead of {{BaseURL}}.

nuclei -t headless.yaml -u https://twitter.com -headless -debug

id: headless
info:
    name: Headless Example
    severity: info
    author: forgedhallpass

headless:
  - steps:
      - action: navigate      
        args:
          url: "{{BaseURL}}"
      - action: waitload

image

forgedhallpass avatar Jul 21 '22 13:07 forgedhallpass

I don't know if it is the same issue but I believe that the debug action inside an headless template also does not work.

Techbrunch avatar Jul 28 '22 15:07 Techbrunch

Note: it's expected that HTTP requests/responses aren't shown as browser navigation might imply multiple asynchronous network activities to complete an action (e.g. asynchronous javascript libraries loading, ajax requests, etc.).

Mzack9999 avatar Jul 29 '22 10:07 Mzack9999

Note: it's expected that HTTP requests/responses aren't shown as browser navigation might imply multiple asynchronous network activities to complete an action (e.g. asynchronous javascript libraries loading, ajax requests, etc.).

This is true, but requests made explicitly through a template should still be shown. e.g. in this case: https://github.com/projectdiscovery/nuclei/issues/2365#issuecomment-1199183495

forgedhallpass avatar Jul 29 '22 12:07 forgedhallpass

After discussing with @forgedhallpass :

  • [ ] Debug messages should have placeholders ({{placeholder}}) replaced with their final values
  • [ ] It might not be possible to relate an asynchronous specific HTTP request with a template YAML action. Anyway that's necessary to check if various actions' debug messages are detailed enough and eventually update them to provide as much context as possible
  • [ ] All error messages should be at least printed as warnings

Mzack9999 avatar Aug 03 '22 06:08 Mzack9999

It actually shows the dumped response, but without header. Also as we've seen, the hijacked response struct in go-rod contains a request id, hence the correlation should be possible.

docker pull vulnerables/web-dvwa
docker run --rm -it -p 80:80 vulnerables/web-dvwa

nuclei -id dvwa-headless-automatic-login -u http://localhost -headless -debug

image

We could at least make sure the proxy configuration is being properly propagated to the web browser. That would be a viable alternative.

forgedhallpass avatar Aug 03 '22 09:08 forgedhallpass