nuclei
nuclei copied to clipboard
Published
20 hours ago •
projectdiscovery
projectdiscovery
Fuzzing layer enhancements + input-types support
Proposed changes
Supersedes #4163
Checklist
- [ ] Pull request is created against the dev branch
- [ ] All checks passed (lint, unit/integration/regression tests etc.) with my changes
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] I have added necessary documentation (if appropriate)
Needs tests related to fuzzing layer execution + other points noted by tarun in #4163
Known Issues / Planned Changes
- [x] Add more params etc that shouldn't be fuzzed by default (ex. __viewstate, etc)
- [x] (common/fuzz) Rewrite querypartRule & headersPartRule tests with new methods/logic
- [x] (core/inputs/formats) Replace
http.ReadRequestwith manual/custom parser as it is strict http request parser and does not support unsafe raw requests - [x] (core/inputs/formats) use OrderedParam to maintain Order of Headers while parsing (currently we use map[string][]string)
- [x] (core/inputs/formats) fix failing input format test of openapi, json and raw request
- [x] move package (pkg/protocols/common/fuzz) -> (pkg/fuzz) [ to avoid deep nested directories and easier access to fuzz module)
Checklist
- [x] Complete refactor to use pkg/inputs/types (RequestResponse) [ Response part is a placeholder for now ]
- [x] Unified Target/Input Provider ( consolidate MetaInput / RawRequest )
- [x] Add New Yaml Input Format for Http Target data ( generated by proxify)
- [x] Refactor to use Unified/New Input Provider Interface
- [x] Remove
-input-fileflag and consolidate its logic using-lflag - [x] Add
-fuzzflag to load/execute fuzz protocol templates - [x] Missing SDK Options for new flags
- [x] Rename Part names of (url , response)
- [x] Add support for
replace-regexrule type to allow custom replacement - [x] Fix Rule applicability, it only considers url and does not consider entire http request
- [x] Unit Tests for Each Part ( query,path,header,body)
- [x] Integration Test for Each Part (query,path,header,body)
- [x] Rewrite Integration Test using fuzzing-playground instead of router
- [x] Add support for new multipart/form-data body format
- [x] Introduce Static Auth From Yaml File using
-secrets- [x] ~Pass this to postman,openapi,swagger (to generate requests on fly)~
- [x] Allow specifying variables set/update in postman,openapi,swagger from
-var flag(WIP) - [x] ~Implement logic for passing creds via ScanContext in tmplexec~
- [x] Yaml Format ( Regex / Exact Match Auth Support )
- [x] 1password integration ( will be implemented in followup release )
- [x] Setup up Automation to generate and update default exclude list of headers and cookies ( a good source for this is wappalyzer project which contains headers and cookies of some technologies ) (see: https://github.com/projectdiscovery/nuclei/issues/4843)
- [x] Follow-up issue to implement chunked Provider (eliminate hmap) (https://github.com/projectdiscovery/nuclei/issues/4808#issuecomment-1982892969)
Integration Tests Added
Existing fuzz integration test only use
url, keeping those aside we are adding Integration tests for all components using fuzz playground ^
[✓] Test "fuzz/fuzz-query-num-replace.yaml" passed!
[✓] Test "fuzz/fuzz-header-ssrf.yaml" passed!
[✓] Test "fuzz/fuzz-path-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-cookie-error-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-body-json-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-body-multipart-form-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-body-params-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-body-xml-sqli.yaml" passed!
[✓] Test "fuzz/fuzz-body-generic-sqli.yaml" passed!
Fuzz templates require -fuzz flag
$ ./nuclei -u 'https://scanme.sh/?url=https://pd.io' -t ~/fuzzing-templates/lfi/linux-lfi-fuzz.yaml -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[WRN] Excluded 1 fuzz template[s] (disabled as default), use -fuzz option to run fuzz templates.
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan
[!NOTE] Currently if input mode is given ( i.e if input is not list but one of full http request formats ) then
-fuzzflag is implicitly enabled
Introducing Authenticated Scanning
Static Auth
- Static auth contains api keys, basic auth , bearer token,api-keys etc and all other auths were there is no exchange of secrets but rather they themself are values that represent state
- Nuclei Now Supports adding static auth using
secrets.yamlfile . an example of such would be
secrets:
- type: Headers
domains:
- cve.projectdiscovery.io
- asn.projectdiscovery.io
- api.projectdiscovery.io
headers:
- key: x-pdcp-key
value: <key-here>
- type: BearerToken
domains-regex:
- .*projectdiscovery.io
token: <our-jwt-token>
for more supported static types see https://github.com/projectdiscovery/nuclei/blob/c88b9b4103127c4d802e15dd79aff94a43991524/pkg/authprovider/authx/testData/secrets.yaml#L1-L37
This secrets.yaml file now can be passed using
-secretsflag and nuclei will internally add appropriate session / auth data based on domain and domain-regex before actual request is sent
$ ./nuclei -t cvemap.yaml -V cve-id=CVE-2023-4863 -secrets pd.yaml 2 ↵
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[cvemap-cve-data] [http] [info] https://cve.projectdiscovery.io/api/v1/cve/CVE-2023-4863 ["{\"cpe\":{\"cpe\":\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"vendor\":\"google\",\"product\":\"chrome\"},\"kev\":{\"due_date\":\"2023-10-04\",\"added_date\":\"2023-09-13\"},\"poc\":[{\"url\":\"https://news.ycombinator.com/item?id=37478403\",\"source\":\"NVD\"},{\"url\":\"https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/\",\"source\":\"NVD\"},{\"url\":\"https://github.com/alsaeroth/CVE-2023-4863-POC\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2024-02-07T06:58:16Z\"},{\"url\":\"https://github.com/Microsvuln/CVE-2023-4863\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2024-02-03T12:27:37Z\"},{\"url\":\"https://github.com/caoweiquan322/NotEnough\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-12-19T01:32:45Z\"},{\"url\":\"https://github.com/LiveOverflow/webp-CVE-2023-4863\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-12-18T23:12:25Z\"},{\"url\":\"https://github.com/murphysecurity/libwebp-checker\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-10-05T03:28:23Z\"},{\"url\":\"https://github.com/GTGalaxi/ElectronVulnerableVersion\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-09-30T02:47:16Z\"},{\"url\":\"https://github.com/OITApps/Find-VulnerableElectronVersion\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-09-29T00:42:37Z\"},{\"url\":\"https://github.com/talbeerysec/BAD-WEBP-CVE-2023-4863\",\"source\":\"gh-nomi-sec\",\"added_at\":\"2023-09-25T22:10:32Z\"}],\"epss\":{\"epss_score\":0.46026,\"epss_percentile\":0.97319},\"cve_id\":\"CVE-2023-4863\",\"is_oss\":false,\"is_poc\":true,\"assignee\":\"[email protected]\",\"severity\":\"high\",\"hackerone\":{\"rank\":1351,\"count\":2},\"is_remote\":true,\"patch_url\":[\"https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a\",\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863\"],\"reference\":[\"http://www.openwall.com/lists/oss-security/2023/09/21/4\",\"http://www.openwall.com/lists/oss-security/2023/09/22/1\",\"http://www.openwall.com/lists/oss-security/2023/09/22/3\",\"http://www.openwall.com/lists/oss-security/2023/09/22/4\",\"http://www.openwall.com/lists/oss-security/2023/09/22/5\",\"http://www.openwall.com/lists/oss-security/2023/09/22/6\",\"http://www.openwall.com/lists/oss-security/2023/09/22/7\",\"http://www.openwall.com/lists/oss-security/2023/09/22/8\",\"http://www.openwall.com/lists/oss-security/2023/09/26/1\",\"http://www.openwall.com/lists/oss-security/2023/09/26/7\"],\"cvss_score\":8.8,\"updated_at\":\"2024-01-07T11:15:13.650\",\"weaknesses\":[{\"cwe_id\":\"CWE-787\",\"cwe_name\":\"Out-of-bounds Write\"}],\"age_in_days\":170,\"is_template\":false,\"vuln_status\":\"modified\",\"cvss_metrics\":{\"cvss31\":{\"score\":8.8,\"vector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"severity\":\"high\"}},\"is_exploited\":true,\"published_at\":\"2023-09-12T15:15:24.327\",\"vulnerable_cpe\":[\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*\",\"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*\",\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*\",\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\",\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*\",\"cpe:2.3:a:webmproject:libwebp:*:*:*:*:*:*:*:*\"],\"cve_description\":\"Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)\",\"vendor_advisory\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863\"}"]
This is just with one template and can be run on any number of templates without any modification in templates or need for a workflow ( currently limited to http but will be extended to other protocols as well)
Example Template
id: cvemap-cve-data
info:
name: cvemap cve data
author: pdteam
severity: info
description: |
get cve details from cvemap
self-contained: true
http:
- raw:
- |
@Host: https://cve.projectdiscovery.io
GET /api/v1/cve/{{cve-id}} HTTP/1.1
Host: cve.projectdiscovery.io
matchers:
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- body
Dynamic Auth
- Dynamic Auth is similar to static auth but the actual or final secrets are obtained after a http request or flow is completed, an example of this would be
oauth login flow,sso, getting session cookie after submitting json username and password etc - This auth type is also now supported leveraging existing
nuclei-templates. the format to specify dynamic auth insecrets.yamlfile is similar to static auth and it takes 2-3 extra fields liketemplate-path, Variables etc - This format/data is written in same file as static auth but under a different parent block
dynamic - for example below is a sequence/defination for wordpress login which can be specified in secrets.yaml
dynamic:
- template-path: wp-login.yaml
input: http://localhost:8080/
variables:
- key: username
value: pdteam
- key: password
value: nuclei-v3.2.0
type: Cookies
domains:
- localhost:8080
cookies:
- raw: "{{wp-global-cookie}}"
- raw: "{{wp-admin-cookie}}"
- raw: "{{wp-plugin-cookie}}"
- This dynamic auth has lazy fetching logic , i.e it is only used/fetched if domain-regex, domain matched on a target (basically on demand use).
- In above format almost all variables are same with additional ones like
template-path,input(optional) ,variables- Variables and input are passed to template and template is executed and all dynamic + named extracted values are available for replacement in auth format fields like headers,query,
cookies(in this case) etc
- With this methodology existing default-login templates can be reused for auth and others can be written leveraging all capabilities of nuclei-templates headless,flow,js etc . with this there is no need for adopting new
sequence / login recordermethod as same is expressed in nuclei-template here
Login Template
id: wordpress-login
info:
name: WordPress Login
author: pdteam
severity: info
description: |
WordPress Login template to use in workflows for authenticated wordpress testing.
reference:
- https://nuclei.projectdiscovery.io/templating-guide/workflows/#shared-execution-context
tags: wordpress,login
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: header
words:
- '/wp-admin'
- 'wordpress_logged_in'
condition: and
extractors:
- type: regex
name: wp-plugin-cookie
part: header
internal: true
regex:
- "Set-Cookie: .+?; path=/wp-content/plugins; HttpOnly"
- type: regex
name: wp-admin-cookie
part: header
internal: true
regex:
- "Set-Cookie: .+?; path=/wp-admin; HttpOnly"
- type: regex
name: wp-global-cookie
part: header
internal: true
regex:
- "Set-Cookie: .+?; path=/; HttpOnly"
example run
$ ./nuclei -u http://localhost:8080/ -tags wordpress -secrets dynamic.yaml -c 500 -stats
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 49
[INF] Templates loaded for current scan: 943
[INF] Executing 943 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 16 (Reduced 10 Requests)
[INF] Using Interactsh Server: oast.me
[wordpress-login] [http] [info] http://localhost:8080/wp-login.php
[wordpress-readme-file] [http] [info] http://localhost:8080/readme.html
[wordpress-detect:version_by_js] [http] [info] http://localhost:8080/ ["6.4.3"]
[wp-user-enum:usernames] [http] [low] http://localhost:8080/?rest_route=/wp/v2/users/ ["pdteam"]
[CVE-2017-5487:usernames] [http] [medium] http://localhost:8080/?rest_route=/wp/v2/users/ ["pdteam"]
...
Updated ( Final) secrets file structure
id: pd-nuclei-auth-test
info:
name: ProjectDiscovery Test Dev Servers
author: pdteam
description: |
This is a auth file for ProjectDiscovery dev servers.
It contains auth data of all projectdiscovery dev servers.
# Note: this is a dummy example file. none of the secrets here are real.
# static secrets
static:
# for header based auth session
- type: header
domains:
- api.projectdiscovery.io
- cve.projectdiscovery.io
- chaos.projectdiscovery.io
headers:
- key: x-pdcp-key
value: <api-key-here>
# for query based auth session
- type: Query
domains:
- scanme.sh
params:
- key: token
value: 1a2b3c4d5e6f7g8h9i0j
# for cookie based auth session
- type: Cookie
domains:
- scanme.sh
cookies:
- key: PHPSESSID
value: 1a2b3c4d5e6f7g8h9i0j
# for basic auth session
- type: BasicAuth
domains:
- scanme.sh
username: test
password: test
# for authorization bearer token
- type: BearerToken
domains-regex:
- .*scanme.sh
- .*pdtm.sh
token: test
# dynamic secrets (powered by nuclei-templates)
dynamic:
- template-path: /path/to/wordpress-login.yaml
variables:
- name: username
value: pdteam
- name: password
value: nuclei-v3.2.0
type: Cookie
domains:
- localhost:8080
cookies:
- raw: "{{wp-global-cookie}}"
- raw: "{{wp-admin-cookie}}"
- raw: "{{wp-plugin-cookie}}"
New Changes ( Added OpenAPI Schema File Validation + Variables Support )
If Global Auth Values are not provided in file or via variables
$ ./nuclei -l openapi.yaml -im openapi
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[FTL] openapi: missing global auth parameter: X-PDCP-Key
If Global Auth is Provided but some required value is missing
$ ./nuclei -l openapi.yaml -im openapi -V "X-PDCP-Key=123456780"
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[ERR] openapi: failed to generate requests due to below missing variables
[ERR] id: [GET] /api/v1/cve/{id} : description = CVE ID (ex: CVE-2016-1010)
[FTL] add default/example values in schema file or provide them using -var flag, you can use -skip-format-validation to skip these requests
If Global Auth is Provided and we choose to ignore requests with required values
$ ./nuclei -l openapi.yaml -im openapi -V "X-PDCP-Key=123456780" -skip-format-validation -t a.yaml -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] skipping [GET] /api/v1/cve/{id} due to missing value (id)
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 82
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] skipping [GET] /api/v1/cve/{id} due to missing value (id)
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/filters
[INF] No results found. Better luck next time!
Overriding or Passing Required Values using -V flag
$ ./nuclei -l openapi.yaml -im openapi -V "X-PDCP-Key=123456780" -skip-format-validation -t a.yaml -v -V "id=CVE-2023-6448"
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 82
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 2
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/filters
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cve/CVE-2023-6448
[INF] No results found. Better luck next time!
New Flag (-required-only)
$ ./nuclei -h target-format
Nuclei is a fast, template based vulnerability scanner focusing
on extensive configurability, massive extensibility and ease of use.
Usage:
./nuclei [flags]
Flags:
TARGET-FORMAT:
-im, -input-mode string mode of input file (list, burp, jsonl, yaml, openapi, swagger) (default "list")
-ro, -required-only use only required fields in input format when generating requests
-sfv, -skip-format-validation skip format validation (like missing vars) when parsing input file
Normal Mode
$ ./nuclei -l openapi.yaml -im openapi -V "X-PDCP-Key=123456780" -skip-format-validation -t a.yaml -v -V "id=CVE-2023-6448"
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 82
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 5
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves/search
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cpes/cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*?product=jira&vendor=atlassian
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves?assignee=psirt%40adobe.com&cpe.cpe=cpe%3A2.3%3Aa%3Aadobe%3Aacrobat_dc%3A%2A%3A%2A%3A%2A%3A%2A%3Aclassic%3A%2A%3A%2A%3A%2A&cpe.framework=wordpress&cpe.product=acrobat_dc&cpe.vendor=adobe&cve_description=Adobe+Acrobat+and+Reader+versions+2019.010.20069+and+earlier%2C+2019.010.20069+and+earlier%2C+2017.011.30113+and+earlier+version%2C+and+2015.006.30464+and+earlier+have+an+use+after+free+vulnerability.+Successful+exploitation+could+lead+to+arbitrary+code+execution+.&cve_id=CVE-2019-7070&cvss_metrics.cvss2.score=9.3&cvss_metrics.cvss2.severity=critical&cvss_metrics.cvss2.vector=CVSS%3A2.0%2FAV%3AN%2FAC%3AM%2FAu%3AN%2FC%3AC%2FI%3AC%2FA%3AC&cvss_metrics.cvss30.score=8.8&cvss_metrics.cvss30.severity=high&cvss_metrics.cvss30.vector=CVSS%3A3.0%2FAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AR%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH&cvss_metrics.cvss31.score=7&cvss_metrics.cvss31.severity=high&cvss_metrics.cvss31.vector=CVSS%3A3.1%2FAV%3AL%2FAC%3AH%2FPR%3AL%2FUI%3AN%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH&cvss_score=8.8&epss.epss_percentile=0.80053&epss.epss_score=0.00826&fields=cve_id%2Ccve_description&hackerone.count=0&is_exploited=true&is_oss=false&is_poc=true&is_remote=true&is_template=false&kev.added_date=2022-04-15T00%3A00%3A00Z&kev.due_date=2022-05-06T00%3A00%3A00Z&limit=100&nuclei_templates.created_at=2020-04-05T23%3A31%3A09%2B05%3A30&nuclei_templates.template_issue=https%3A%2F%2Fgithub.com%2Fprojectdiscovery%2Fnuclei-templates%2Fissues%2F7549&nuclei_templates.template_issue_type=mention&nuclei_templates.template_path=http%2Fcves%2F2019%2FCVE-2019-12314.yaml&nuclei_templates.template_pr=https%3A%2F%2Fgithub.com%2Fprojectdiscovery%2Fnuclei-templates%2Fpull%2F3200&nuclei_templates.template_url=https%3A%2F%2Fcloud.projectdiscovery.io%2Fpublic%2FCVE-2019-12314&nuclei_templates.updated_at=2023-12-29T09%3A30%3A44Z&offset=200&oss.created_at=2009-05-21+01%3A33%3A45+%2B0000+UTC&oss.description=Mirror+of+Apache+ActiveMQ&oss.forks=1407&oss.language=Java&oss.pushed_at=2023-12-12+17%3A51%3A19+%2B0000+UTC&oss.stars=2221&oss.subscribers=200&oss.topics.%24_has=php&oss.updated_at=2023-12-29+09%3A29%3A55+%2B0000+UTC&oss.url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq&patch_url.%24_has=https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Facrobat%2Fapsb19-07.html&poc.%24.added_at=2019-04-02T12%3A50%3A46Z&poc.%24.source=trickest&poc.%24.url=https%3A%2F%2Fmedium.com%2F%40alt3kx%2Fa-reflected-xss-in-print-archive-system-v2015-release-2-6-cve-2019-10685-b60763b7768b&published_at=2019-05-24T19%3A29%3A02.080&reference.%24_has=https%3A%2F%2Fwww.zerodayinitiative.com%2Fadvisories%2FZDI-19-210%2F&severity=high&shodan.count=150&shodan.query.%24_has=cpe%3A%22cpe%3A2.3%3Aa%3Aadobe%3Acoldfusion%22&sort_asc=age_in_days%2Chackerone.rank&sort_desc=cvss_score&updated_at=2019-08-21T16%3A20%3A31.353&vendor_advisory=https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Facrobat%2Fapsb19-07.html&vuln_status=confirmed&vulnerable_cpe.%24_has=cpe%3A2.3%3Aa%3Aatlassian%3Ajira%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A&weaknesses.%24.cwe_id=CWE-416&weaknesses.%24.cwe_name=Use+After+Free
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/filters
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cve/CVE-2023-6448
[INF] No results found. Better luck next time!
Using -required-only mode
$ ./nuclei -l openapi.yaml -im openapi -V "X-PDCP-Key=123456780" -skip-format-validation -t a.yaml -v -V "id=CVE-2023-6448" -ro
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 82
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 5
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/filters
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cve/CVE-2023-6448
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves/search
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cpes/
[INF] No results found. Better luck next time!
New Changes
Improved Loggging when required vars are missing
$ ./nuclei -l openapi.yaml -im openapi -t a.yaml -V X-PDCP-Key=123456 -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] openapi: skipping optional param (limit) in (query) in request [GET] /api/v1/cves due to missing value (limit)
[VER] openapi: skipping optional param (cpe.cpe) in (query) in request [GET] /api/v1/cves due to missing value (cpe.cpe)
[ERR] openapi: Found 1 missing parameters, use -skip-format-validation flag to skip requests or update missing parameters generated in required_openapi_params.yaml file,you can also specify these vars using -var flag in (key=value) format
[VER] openapi: missing params: [id]
auto generate / load required openapi variables file in CLI Mode
$ cat required_openapi_params.yaml
var:
- id=
# Optional parameters
# - cpe.cpe=
# - limit=
Skipping format validation will use placeholders for known datatypes
$ ./nuclei -l openapi.yaml -im openapi -t a.yaml -V X-PDCP-Key=123456 -v -sfv
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.0-dev
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.0-dev (development)
[INF] Current nuclei-templates version: v9.7.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 82
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 5
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/filters
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cpes/cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*?product=jira&vendor=atlassian
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves?assignee=psirt%40adobe.com&cpe.cpe=string&cpe.framework=wordpress&cpe.product=acrobat_dc&cpe.vendor=adobe&cve_description=Adobe+Acrobat+and+Reader+versions+2019.010.20069+and+earlier%2C+2019.010.20069+and+earlier%2C+2017.011.30113+and+earlier+version%2C+and+2015.006.30464+and+earlier+have+an+use+after+free+vulnerability.+Successful+exploitation+could+lead+to+arbitrary+code+execution+.&cve_id=CVE-2019-7070&cvss_metrics.cvss2.score=9.3&cvss_metrics.cvss2.severity=critical&cvss_metrics.cvss2.vector=CVSS%3A2.0%2FAV%3AN%2FAC%3AM%2FAu%3AN%2FC%3AC%2FI%3AC%2FA%3AC&cvss_metrics.cvss30.score=8.8&cvss_metrics.cvss30.severity=high&cvss_metrics.cvss30.vector=CVSS%3A3.0%2FAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AR%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH&cvss_metrics.cvss31.score=7&cvss_metrics.cvss31.severity=high&cvss_metrics.cvss31.vector=CVSS%3A3.1%2FAV%3AL%2FAC%3AH%2FPR%3AL%2FUI%3AN%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH&cvss_score=8.8&epss.epss_percentile=0.80053&epss.epss_score=0.00826&fields=cve_id%2Ccve_description&hackerone.count=0&is_exploited=true&is_oss=false&is_poc=true&is_remote=true&is_template=false&kev.added_date=2022-04-15T00%3A00%3A00Z&kev.due_date=2022-05-06T00%3A00%3A00Z&limit=0&nuclei_templates.created_at=2020-04-05T23%3A31%3A09%2B05%3A30&nuclei_templates.template_issue=https%3A%2F%2Fgithub.com%2Fprojectdiscovery%2Fnuclei-templates%2Fissues%2F7549&nuclei_templates.template_issue_type=mention&nuclei_templates.template_path=http%2Fcves%2F2019%2FCVE-2019-12314.yaml&nuclei_templates.template_pr=https%3A%2F%2Fgithub.com%2Fprojectdiscovery%2Fnuclei-templates%2Fpull%2F3200&nuclei_templates.template_url=https%3A%2F%2Fcloud.projectdiscovery.io%2Fpublic%2FCVE-2019-12314&nuclei_templates.updated_at=2023-12-29T09%3A30%3A44Z&offset=0&oss.created_at=2009-05-21+01%3A33%3A45+%2B0000+UTC&oss.description=Mirror+of+Apache+ActiveMQ&oss.forks=1407&oss.language=Java&oss.pushed_at=2023-12-12+17%3A51%3A19+%2B0000+UTC&oss.stars=2221&oss.subscribers=200&oss.topics.%24_has=php&oss.updated_at=2023-12-29+09%3A29%3A55+%2B0000+UTC&oss.url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq&patch_url.%24_has=https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Facrobat%2Fapsb19-07.html&poc.%24.added_at=2019-04-02T12%3A50%3A46Z&poc.%24.source=trickest&poc.%24.url=https%3A%2F%2Fmedium.com%2F%40alt3kx%2Fa-reflected-xss-in-print-archive-system-v2015-release-2-6-cve-2019-10685-b60763b7768b&published_at=2019-05-24T19%3A29%3A02.080&reference.%24_has=https%3A%2F%2Fwww.zerodayinitiative.com%2Fadvisories%2FZDI-19-210%2F&severity=high&shodan.count=150&shodan.query.%24_has=cpe%3A%22cpe%3A2.3%3Aa%3Aadobe%3Acoldfusion%22&sort_asc=age_in_days%2Chackerone.rank&sort_desc=cvss_score&updated_at=2019-08-21T16%3A20%3A31.353&vendor_advisory=https%3A%2F%2Fhelpx.adobe.com%2Fsecurity%2Fproducts%2Facrobat%2Fapsb19-07.html&vuln_status=confirmed&vulnerable_cpe.%24_has=cpe%3A2.3%3Aa%3Aatlassian%3Ajira%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A&weaknesses.%24.cwe_id=CWE-416&weaknesses.%24.cwe_name=Use+After+Free
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cves/search
[VER] [host-header-injection] Sent HTTP request to https://cve.projectdiscovery.io/api/v1/cve/string
[INF] No results found. Better luck next time!