Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request generation failure when url contains %u encoded patterns #3334

Closed
denizcevik opened this issue Feb 16, 2023 · 2 comments
Closed

Request generation failure when url contains %u encoded patterns #3334

denizcevik opened this issue Feb 16, 2023 · 2 comments
Assignees
@tarunKoyalwar
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all.
Milestone
nuclei v2.9.0

Comments

@denizcevik
Copy link

Here is tested environment version details

Nuclei Engine 2.8.9 (latest)
Nuclei Templates 9.3.7 (latest)

Sample template portion:

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%u002e/WEB-INF/web.xml"

When defined test pattern is like above, nuclei is generating request as below.

GET /https://hostname/%25u002e/WEB-INF/web.xml HTTP/1.1
Host: hostname
User-Agent: Go-http-client/1.1

It seems there is a problem when %u encoded patterns are used.
@ehsandeep ehsandeep transferred this issue from projectdiscovery/nuclei-templates Feb 17, 2023
@ehsandeep ehsandeep mentioned this issue Feb 17, 2023
Closed
@tarunKoyalwar tarunKoyalwar self-assigned this Feb 17, 2023
@tarunKoyalwar
Copy link
Member

@denizcevik , the url you mentioned {{BaseURL}}/%u002e/WEB-INF/web.xml is not a valid url and even go standard library does not support it

package main

import (
	"fmt"
	"net/url"
)

func main() {
	testurl := "https://scanme.sh/%u002e/WEB-INF/web.xml"

	urlx, err := url.Parse(testurl)
	if err != nil {
		panic(err)
	}
	fmt.Println(urlx.String())
}
$  go run .                                                                                                                                                                                                                                                                                              
panic: parse "https://scanme.sh/%u002e/WEB-INF/web.xml": invalid URL escape "%u0"

goroutine 1 [running]:
main.main()
        /Users/tarun/testing/urllx/main.go:13 +0x8c
exit status 2

Instead of panic we escape it our version of url parser . that is why %u002e -> %25u002e

To Summarize

this is the reason we have unsafe option in nuclei template . which keeps the payload intact even if it is not correct
https://nuclei.projectdiscovery.io/templating-guide/protocols/http/#unsafe-http-requests

@tarunKoyalwar tarunKoyalwar added Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all. labels Feb 17, 2023
@tarunKoyalwar
Copy link
Member

@denizcevik refer #3331 (comment) for detailed url encoding edgecases and examples . we will also add some notes about url encoding to nuclei docs

@ehsandeep ehsandeep added this to the nuclei v2.9.0 milestone Feb 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tarunKoyalwar tarunKoyalwar

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Question A query or seeking clarification on parts of the spec. Probably doesn't need the attention of all.
Projects
None yet
Milestone
nuclei v2.9.0
Development

No branches or pull requests
3 participants
@denizcevik @ehsandeep @tarunKoyalwar