Add slow_endpoint_scan module to detect slow HTTP endpoints

[Prajwal5755]

Proposed change

This PR introduces a new module slow_endpoint_scan for detecting slow HTTP endpoints.

The module identifies URLs that take more than 3 seconds to respond. Slow responses may indicate inefficient backend processing, blocking operations, or endpoints vulnerable to resource exhaustion attacks.

The module works by using Nettacker's responsetime condition to detect delayed responses and logs the affected endpoint URLs.

Tested locally using a Flask-based lab environment with intentionally delayed endpoints to verify detection.

Type of change

• New core framework functionality
• Bugfix (non-breaking change which fixes an issue)
• Code refactoring without any functionality changes
• [x ] New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I have digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test, I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• [x ] I've tested and verified that my code works as intended and resolves the issue as described
• [xI have attached screenshots demonstrating my code works as intended
• [x ] I've checked all other open PRs to avoid submitting duplicate work
• [x ] I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds nettacker/modules/scan/slow_endpoint.yaml, a new YAML scan defining slow_endpoint_scan that fuzzes slow-related paths over HTTP/HTTPS (ports 80/443) with a GET step (custom User-Agent, redirects and SSL verification disabled) and flags responses with time >3s and status codes 200/401/403.

Changes

Cohort / File(s)

Summary

Slow Endpoint Scan Configuration nettacker/modules/scan/slow_endpoint.yaml

Adds slow_endpoint_scan metadata and a single HTTP payload (verification disabled, no proxies). Defines a GET request step with custom User-Agent, redirects/SSL disabled; uses nettacker_fuzzer to generate paths (slow/, slow, delay, timeout, sleep) across http/https on ports 80,443; response criteria require AND of logged URL, response time >3s, URL regex .*, and status codes 200, 401, 403 (reverse: false).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a new slow_endpoint_scan module to detect slow HTTP endpoints, which directly matches the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the slow_endpoint_scan module, its purpose (detecting responses >3 seconds), testing methodology, and includes evidence of successful testing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/scan/slow_endpoint.yaml`:
- Around line 23-42: The fuzzer step in slow_endpoint.yaml is generating http://
URLs for port 443 (ssl: false with schema: "http" and ports including 443), so
send_request() never exercises HTTPS endpoints; update the YAML to avoid mixing
http with port 443 by either removing 443 from the ports list for this
nettacker_fuzzer entry (keep only 80) or split into two steps: one entry with
ssl: false/schema:"http"/ports:[80] and a second entry with ssl:
true/schema:"https"/ports:[443]; ensure the nettacker_fuzzer block
(url.nettacker_fuzzer, schema, ports, ssl) is adjusted accordingly so
send_request() receives matching scheme and port combinations.
- Around line 12-16: The transport options (timeout, verify, proxies) are
currently nested under payloads and thus ignored by HttpEngine.run which only
forwards step-level fields into send_request; move timeout: 10, verify: false,
and proxies: "" out of the payloads list to the step-level configuration for
this module (and any other similar blocks at lines 18-24) so HttpEngine.run will
pick them up and send_request receives the intended transport settings; look for
the slow_endpoint.yaml payloads block and update the module-level keys
accordingly, ensuring the library: http payload remains a simple entry with no
transport fields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5d0d2093-2e07-4485-b5a0-83b2df31b3ce

📥 Commits

Reviewing files that changed from the base of the PR and between 2310a83 and dcfe66c.

📒 Files selected for processing (1)

• nettacker/modules/scan/slow_endpoint.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/scan/slow_endpoint.yaml`:
- Around line 25-27: The input_format is escaping fuzzer variables so
fuzzer_repeater_perform() only sees literal braces; change the YAML value to use
single braces for the fuzzer placeholders so .format(...) can substitute them
(e.g. use "{schema}://{target}:{ports}/{urls}" instead of
"{{schema}}://{target}:{{ports}}/{{urls}}"), and verify the placeholder names
match what fuzzer_repeater_perform() expects.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aad07597-1069-499b-a9b0-ddc45890451a

📥 Commits

Reviewing files that changed from the base of the PR and between dcfe66c and a66066a.

📒 Files selected for processing (1)

• nettacker/modules/scan/slow_endpoint.yaml

[coderabbitai]

🧹 Nitpick comments (1)

nettacker/modules/scan/slow_endpoint.yaml (1)

50-52: Consider removing redundant url condition.

The url condition with regex: .* matches any URL and provides no additional filtering. You could simplify the configuration by removing it entirely since condition_type: and would still work with just responsetime and status_code.

Suggested simplification

         response:
           condition_type: and
           log: "response_dependent['url']"
           conditions:
             responsetime: "> 3"
-            url:
-              regex: .*
-              reverse: false
             status_code:
               regex: 200|401|403
               reverse: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/scan/slow_endpoint.yaml` around lines 50 - 52, The url
condition block (url: regex: .*) is redundant because it matches every URL and
adds no filtering; remove the entire url condition entry so the rule relies only
on the responsetime and status_code conditions under condition_type: and (ensure
you delete the url key and its nested regex/reverse fields and keep responsetime
and status_code intact).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@nettacker/modules/scan/slow_endpoint.yaml`:
- Around line 50-52: The url condition block (url: regex: .*) is redundant
because it matches every URL and adds no filtering; remove the entire url
condition entry so the rule relies only on the responsetime and status_code
conditions under condition_type: and (ensure you delete the url key and its
nested regex/reverse fields and keep responsetime and status_code intact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5bdab786-287c-4ce9-90d5-27a8a22c8a0e

📥 Commits

Reviewing files that changed from the base of the PR and between a66066a and 4df4038.

📒 Files selected for processing (1)

• nettacker/modules/scan/slow_endpoint.yaml

[coderabbitai]

🧹 Nitpick comments (2)

nettacker/modules/scan/slow_endpoint.yaml (2)

14-15: Remove ineffective payload-level settings.

Based on HttpEngine.run() in nettacker/core/lib/http.py:177-180, only step-level keys are passed to send_request(). These payload-level verify and proxies settings are silently ignored. The ssl: false at line 23 already handles SSL verification at the correct level.

♻️ Suggested cleanup

 payloads:
   - library: http
-    verify: false
-    proxies: ""

     steps:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/scan/slow_endpoint.yaml` around lines 14 - 15, The
payload-level keys "verify" and "proxies" in slow_endpoint.yaml are ineffective
because HttpEngine.run() only forwards step-level keys to send_request(); remove
the "verify: false" and "proxies: \"\"" entries from the payload (leaving "ssl:
false" intact) so configuration is not misleading; search for the
slow_endpoint.yaml payload and delete those two keys referencing verify and
proxies.

---

53-55: Consider expanding status code coverage.

The current regex 200|401|403 excludes other potentially relevant slow responses:

• 201, 202, 204 (successful but less common)
• 500, 502, 503 (slow errors may indicate resource exhaustion or DoS surfaces)

A slow 500 response could indicate a vulnerable endpoint that exhausts resources. Consider whether 2\d\d|401|403|5\d\d would be more suitable for comprehensive slow endpoint detection.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/scan/slow_endpoint.yaml` around lines 53 - 55, The
status_code regex under the status_code key currently matches only
"200|401|403", missing other relevant success and error responses; update the
regex to broaden coverage (for example to "2\\d\\d|401|403|5\\d\\d") so the
slow_endpoint detector includes 2xx variants and 5xx server errors; modify the
regex value in slow_endpoint.yaml (the status_code: regex field) accordingly and
ensure the reverse flag remains unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@nettacker/modules/scan/slow_endpoint.yaml`:
- Around line 14-15: The payload-level keys "verify" and "proxies" in
slow_endpoint.yaml are ineffective because HttpEngine.run() only forwards
step-level keys to send_request(); remove the "verify: false" and "proxies:
\"\"" entries from the payload (leaving "ssl: false" intact) so configuration is
not misleading; search for the slow_endpoint.yaml payload and delete those two
keys referencing verify and proxies.
- Around line 53-55: The status_code regex under the status_code key currently
matches only "200|401|403", missing other relevant success and error responses;
update the regex to broaden coverage (for example to "2\\d\\d|401|403|5\\d\\d")
so the slow_endpoint detector includes 2xx variants and 5xx server errors;
modify the regex value in slow_endpoint.yaml (the status_code: regex field)
accordingly and ensure the reverse flag remains unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 94049061-52d1-4f5a-909a-d159d94bd085

📥 Commits

Reviewing files that changed from the base of the PR and between 4df4038 and 7cf5373.

📒 Files selected for processing (1)

• nettacker/modules/scan/slow_endpoint.yaml

[Aarush289]

The syntax is wrong , please use {{}} for "target ", "ports" and "urls" fields .

[Prajwal5755]

Thanks for pointing this out, I have updated the syntax to use {{}} for fuzzer variable and pushed the fix