Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

double url encoding issue in non-unsafe templates #3292

Closed
tarunKoyalwar opened this issue Feb 9, 2023 · 0 comments · Fixed by #3294
Closed

double url encoding issue in non-unsafe templates #3292

tarunKoyalwar opened this issue Feb 9, 2023 · 0 comments · Fixed by #3294
Assignees
@tarunKoyalwar
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Milestone
nuclei v2.8.9

Comments

@tarunKoyalwar
Copy link
Member

Nuclei version:

dev | main

Current Behavior:

requests:
  - raw:
    - |+
        GET {{Path}}%0D%0ASet-Cookie:crlfinjection=crlfinjection HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
        Connection: close

Nuclei while running this template double encodes the payload and dumps below http request

[INF] [crlf-injection] Dumped HTTP request for https://example.com/foo/%0D%0ASet-Cookie:crlfinjection=crlfinjection

GET /foo/%250D%250ASet-Cookie:crlfinjection=crlfinjection HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

Expected Behavior:

  • If possible nuclei should avoid double url encoding special characters

Anything else:
@tarunKoyalwar tarunKoyalwar added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Feb 9, 2023
@tarunKoyalwar tarunKoyalwar self-assigned this Feb 9, 2023
@tarunKoyalwar tarunKoyalwar mentioned this issue Feb 9, 2023
Merged
4 tasks
@tarunKoyalwar tarunKoyalwar linked a pull request Feb 9, 2023 that will close this issue
fix url re-encoding issues #3294
Merged
4 tasks
@ehsandeep ehsandeep added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Feb 10, 2023
@ehsandeep ehsandeep added this to the nuclei v2.8.9 milestone Feb 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tarunKoyalwar tarunKoyalwar

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
nuclei v2.8.9
Development

Successfully merging a pull request may close this issue.

fix url re-encoding issues projectdiscovery/nuclei
2 participants
@ehsandeep @tarunKoyalwar