making ssl errors non fatal (#5203)

* making ssl errors non fatal * adding test
projectdiscovery · May 21, 2024 · f633258 · f633258
1 parent 7a4969d
commit f633258
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 1 deletion.
diff --git a/cmd/integration-test/ssl.go b/cmd/integration-test/ssl.go
@@ -13,6 +13,7 @@ var sslTestcases = []TestCaseInfo{
 	{Path: "protocols/ssl/custom-cipher.yaml", TestCase: &sslCustomCipher{}},
 	{Path: "protocols/ssl/custom-version.yaml", TestCase: &sslCustomVersion{}},
 	{Path: "protocols/ssl/ssl-with-vars.yaml", TestCase: &sslWithVars{}},
+	{Path: "protocols/ssl/multi-req.yaml", TestCase: &sslMultiReq{}},
 }
 
 type sslBasic struct{}
@@ -118,3 +119,23 @@ func (h *sslWithVars) Execute(filePath string) error {
 
 	return expectResultsCount(results, 1)
 }
+
+type sslMultiReq struct{}
+
+func (h *sslMultiReq) Execute(filePath string) error {
+	ts := testutils.NewTCPServer(&tls.Config{}, defaultStaticPort, func(conn net.Conn) {
+		defer conn.Close()
+		data := make([]byte, 4)
+		if _, err := conn.Read(data); err != nil {
+			return
+		}
+	})
+	defer ts.Close()
+
+	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, ts.URL, debug, "-V")
+	if err != nil {
+		return err
+	}
+
+	return expectResultsCount(results, 2)
+}
diff --git a/integration_tests/protocols/ssl/multi-req.yaml b/integration_tests/protocols/ssl/multi-req.yaml
@@ -0,0 +1,34 @@
+id: multi-req
+
+info:
+  name: Multi-Request
+  author: pdteam
+  severity: info
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+    min_version: ssl30
+    max_version: ssl30
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
+
+  - address: "{{Host}}:{{Port}}"
+    min_version: tls10
+    max_version: tls10
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
+
+  - address: "{{Host}}:{{Port}}"
+    min_version: tls11
+    max_version: tls11
+
+    extractors:
+      - type: json
+        json:
+          - " .tls_version"
diff --git a/pkg/tmplexec/multiproto/multi.go b/pkg/tmplexec/multiproto/multi.go
@@ -8,6 +8,8 @@ import (
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators"
 	"github.com/projectdiscovery/nuclei/v3/pkg/scan"
+	"github.com/projectdiscovery/nuclei/v3/pkg/templates/types"
+	stringsutil "github.com/projectdiscovery/utils/strings"
 )
 
 // Mutliprotocol is a template executer engine that executes multiple protocols
@@ -110,9 +112,19 @@ func (m *MultiProtocol) ExecuteWithResults(ctx *scan.ScanContext) error {
 
 		values := m.options.GetTemplateCtx(ctx.Input.MetaInput).GetAll()
 		err := req.ExecuteWithResults(ctx.Input, output.InternalEvent(values), nil, multiProtoCallback)
-		// if error skip execution of next protocols
+		// in case of fatal error skip execution of next protocols
 		if err != nil {
+			// always log errors
 			ctx.LogError(err)
+
+			// for some classes of protocols (i.e ssl) errors like tls handshake are a legitimate behavior so we don't stop execution
+			// connection failures are already tracked by the internal host error cache
+			// we use strings comparison as the error is not formalized into instance within the standard library
+			// within a flow instead we consider ssl errors as fatal, since a specific logic was requested
+			if req.Type() == types.SSLProtocol && stringsutil.ContainsAnyI(err.Error(), "protocol version not supported", "could not do tls handshake") {
+				continue
+			}
+
 			return err
 		}
 	}