Issue with default digest md5

[eriksole]

I am implementing a request that uses digest md5. The original request that I am trying to replicate only uses the parameter nonce in the Authorization field, while the default digest md5 of nuclei uses the variables nonce, cnonce and nc. Therefore, the authentication is invalid.

This is the response that is sent in the browser:

Authorization: Digest username="admin", realm="ManagementRealm", nonce="I2svYaOTQ6sNMTY2MDgwODIyOTU3Mdcffk5/tywNCT09KdKUoZQ=", uri="/management", algorithm=MD5, response="3728550a16054127c303c055d00bf76b", opaque="00000000000000000000000000000000"

And the template that I am using:

Authorization: Digest username="admin", realm="ManagementRealm", nonce="224zIBibtpsNMTY2MDgwODI5MzkxN/KX9F/IpKxez0vD6+AeFMc=", uri="/management", response="df5e5613b733d650a3db9057f71571a2", cnonce="3be311adf861a963fc329ed7d940868a", opaque="00000000000000000000000000000000", qop=auth, nc=00000001

I attach the code of the nuclei template:

[eriksole]

I finally did it manually with:

Authorization: Digest username="{{username}}", realm=§realm§, nonce=§nonce§, uri="/management", algorithm=MD5, response="{{md5(concat(md5(concat("{{username}}",":",§realm§,":","{{password}}")),":",§nonce§,":",md5(concat("POST",":","/management"))))}}", opaque=§opaque§

It would be great if this was implemented.

[eriksole]

The version of md5 digest that I am using is RFC 2069, but the most used is the RFC 2617 (which is the default one now in nuclei).

[Mzack9999]

Proposal:

• Add new field digest-type accepting RFC2069 or RFC2617

[tarunKoyalwar]

@Mzack9999 this seems like a rare case not sure we should implement this since this can be achieved without library implementation using ^ payload , anyway to implement this we need to add support for this in upstream https://github.com/Mzack9999/go-http-digest-auth-client