Insufficient Fix for #2698

[zy9ard3]

Nuclei version:

latest ==> 2.8.6

Current Behavior :

The fix for #2698 seems insufficient as the engine still encoding some chars like ; and breaking the necessary payloads like ( i.e : xyzwhatever;alert(1) , 1;WAITFOR+DELAY+'0:0:12'-- )

Expected Behavior :

Fix can be enhanced with respect to the below chars like Burpsuite

[tarunKoyalwar]

@zy9ard3 , If you look into URL encoding RFC etc . You will see that ; is reserved character

Reserved  Characters
 ! * ' ( ) ; : @ & = + $ , / ? % # [ ] 

These are reserved characters which are used for parsing urls and other stuff .

• adds url encoders utils#42

Above PR Introduced helper functions and option to only encode given characters (similar to above screenshot) .To implement something like this in nuclei a new field needs to introduced either to template or CLI option and before this PR all characters were url encoded and there weren't any major issues with that behaviour. but still its something worth to investigate and discuss

[tarunKoyalwar]

• reserved characters are not encoded anymore
• #,/,?,= are used as seperators for parsing URLs and cannot be used without encoding in payload

[zy9ard3]

@tarunKoyalwar

Thanks for the Acknowledgement !!

Apart from the above ones, can we use other characters like ; as normal in upcoming releases ???

[tarunKoyalwar]

@zy9ard3 , yes ; and other special chars/symbols , it will also handle non ASCII chars (ex chinese etc) , whitespaces or control characters , If it is a crafted payload (waf bypass with some encoding etc ) . it will not process them/encode and keep it the same.