nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

When using `payloads`, multiple requests are being sent even if the request is not parametrized (static)

Open forgedhallpass opened this issue 3 years ago • 2 comments

Use-case: externalizing regex snippets to be read from files. e.g. regex(concat("prefix", regex_payload_snippet, "suffix"), body)

id: template-id

info:
  name: Template Name
  author: istvan
  severity: info

requests:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
        Accept: */*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate

    payloads:
      path:
        - a
        - b
        - c 

    matchers:
      - type: dsl
        dsl:
          - print_debug(path) 

nuclei -t /tmp/t.yaml -u http://localhost:8081 -debug-req                                                                                                                      ✔

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.7.6

		projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.7.6 (latest)
[INF] Using Nuclei Templates 9.1.5 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[INF] [template-id] Dumped HTTP request for http://localhost:8081/

GET / HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5

[INF] print_debug value: [a]
[2022-08-17 20:33:33] [template-id] [http] [info] http://localhost:8081/ [path=a]
[INF] [template-id] Dumped HTTP request for http://localhost:8081/

GET / HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5

[INF] print_debug value: [b]
[2022-08-17 20:33:33] [template-id] [http] [info] http://localhost:8081/ [path=b]
[INF] [template-id] Dumped HTTP request for http://localhost:8081/

GET / HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5

[INF] print_debug value: [c]
[2022-08-17 20:33:33] [template-id] [http] [info] http://localhost:8081/ [path=c]

Note: If the path variable is not used in the matcher, the requests are not duplicated.

forgedhallpass avatar Aug 17 '22 17:08 forgedhallpass

Previous / related code change - https://github.com/projectdiscovery/nuclei/pull/1790

ehsandeep avatar Aug 20 '22 00:08 ehsandeep

On Hold - Check if it's already covered by https://github.com/projectdiscovery/nuclei/pull/1767

Mzack9999 avatar Aug 29 '22 13:08 Mzack9999

This behavior is expected if the payload is used anywhere in the template (including matchers), then the normal iteration flow is taken, and no assumptions are made on optimistic request skip since it might be unwanted invasive behavior

Mzack9999 avatar Dec 13 '22 13:12 Mzack9999