Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzzing additions & enhancements #5139

Merged
merged 13 commits into from
Jun 10, 2024
Merged

Fuzzing additions & enhancements #5139

merged 13 commits into from
Jun 10, 2024

Conversation

Ice3man543
Copy link
Member

@Ice3man543 Ice3man543 commented May 3, 2024

Proposed changes

  • Fixed part: request not working to allow fuzzing all applicable request parts
  • Added -dfp flag to display fuzz points
> ./nuclei -dfp -l proxify_logs.yaml -im yaml -t template.yaml  

....
[INF] Fuzz points for sqli-error-based
{
  "cookie": {
    "lang": "es"
  },
  "header": {
    "User-Agent": "curl/8.1.2"
  },
  "path": {
    "value": "/blog/posts"
  }
}
[INF] Fuzz points for sqli-error-based
{
  "body": {
    "age": "20",
    "id": "75",
    "name": "icy",
    "role": "dev"
  },
  "header": {
    "User-Agent": "curl/8.1.2"
  },
  "path": {
    "value": "/user"
  }
}
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/user [body:role] [POST]
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/blog/posts [cookie:lang] [GET]
  • Added support for fuzzing nested URL path segments
[INF] [sqli-error-based] Fuzz points for http://127.0.0.1:8082/user/75/profile [GET]
{
  "path": {
    "1": "/user",
    "2": "/user/75",
    "3": "/user/75/profile"
  }
}
[VER] [sqli-error-based] Sent HTTP request to http://127.0.0.1:8082/user'/75/profile
[VER] [sqli-error-based] Sent HTTP request to http://127.0.0.1:8082/user/75'/profile
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/user/75%27/profile [path:/user/75] [GET]
  • Added parts to fuzzing templates to allow specifying multiple target parts
    fuzzing:
      - parts:
          - path
          - header
          - cookie
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@Ice3man543 Ice3man543 marked this pull request as draft May 3, 2024 18:11
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Misc format update:
[INF] [sqli-error-based] Fuzz points for http://127.0.0.1:8082/user [body:role] [POST]
  • allow path to break values by separator and fuzz each separately
  • allow part to be customizable with allow and deny and multiple values
  • keep track of non matches and allow ignoring values which don't yield issues (example. path parameters after above change etc)

@Ice3man543
Copy link
Member Author

Ice3man543 commented May 7, 2024

  • Added skipping of parameters after certain frequency of no issues found in nuclei fuzzing
./nuclei -l list.txt -t template.yaml -dast -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.5

                projectdiscovery.io

[INF] Supplied input was automatically deduplicated (1 removed).
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.5 (outdated)
[INF] Current nuclei-templates version: v9.8.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 142
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 12
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/11
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/9'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/4'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/8
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/10
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/5'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/3
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/2
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/7'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/12
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/1'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/6'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/8'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/10'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/5
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/2'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/3'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/11'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/4
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/7
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/9
[VER] [sqli-error-based] Skipped /profile from parameter for http://localhost:8082/profile"/9 as found uninteresting 10 times

With input

http://localhost:8082/profile/1
http://localhost:8082/profile/2
http://localhost:8082/profile/3
http://localhost:8082/profile/4
http://localhost:8082/profile/5
http://localhost:8082/profile/6
http://localhost:8082/profile/7
http://localhost:8082/profile/8
http://localhost:8082/profile/9
http://localhost:8082/profile/10
http://localhost:8082/profile/11
http://localhost:8082/profile/12
http://localhost:8082/profile/12

@Ice3man543
Copy link
Member Author

  • Added configurable aggression level to fuzzing payloads with fuzz-aggression flag
linux_path:
  low:
    - /etc/passwd
  medium:
    - ../etc/passwd
    - ../../etc/passwd
  high:
    - ../../../etc/passwd
    - ../../../../etc/passwd
    - ../../../../../etc/passwd`

Three agression are supported -

  • low
  • medium
  • high
    low is the default level which is fairly quick. If medium is specified, all templates from
    low and medium are executed. Similarly with high, including all templates
    from low, medium, high.

@Ice3man543 Ice3man543 marked this pull request as ready for review May 7, 2024 14:03
@Ice3man543 Ice3man543 changed the title Fuzzing additions & enhancements (wip) Fuzzing additions & enhancements May 7, 2024
@Ice3man543 Ice3man543 self-assigned this May 7, 2024
@ehsandeep ehsandeep linked an issue May 24, 2024 that may be closed by this pull request
@ehsandeep ehsandeep merged commit 9f3f7fc into dev Jun 10, 2024
11 of 12 checks passed
@ehsandeep ehsandeep deleted the fuzzing-additions branch June 10, 2024 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fuzzing additions & enhancements
4 participants