[BUG] Nested Variable Substitution Failure in Request Body: unresolved variables found

[MasoudAbdaal]

Is there an existing issue for this?

• I have searched the existing issues.

Current Behavior

The error thrown:

[ASVS-4-0-3-V5-1-1] ASVS 5.1.1 Check (@masoud abdaal) [medium]
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not make http request for https://127.0.0.1:8585/scenario_1: unresolved variables found: parameters,parameters
[WRN] [ASVS-4-0-3-V5-1-1] Could not execute request for https://127.0.0.1:8585/scenario_1: cause="stop execution due to unresolved variables"

Expected Behavior

Request like this send:

POST /scenario_1 HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

sbzg69=x&sbzg69=Polluted_1

POST /scenario_1 HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

itensPagina=x%26itensPagina=Polluted_2

POST /scenario_1 HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

itembgcol[]=[x,Polluted_1]&itembgcol[]=Polluted_2

POST /scenario_1 HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded

sd8p3o[]=x&sd8p3o[]=Polluted_2

Steps To Reproduce

1. Make a wordlist and replace its path on http > payloads > parameters:
2. Run the template nuclei.exe -duc -vv -t .\templates\5.1.1.yaml -u https://127.0.0.1:8585/scenario_1 -lfa -debug

The Template Content

id: ASVS-4-0-3-V5-1-1

info:
  name: ASVS 5.1.1 Check
  author: Masoud Abdaal
  severity: medium
  classification:
    cwe-id: CWE-235
  reference:
    - https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
    - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
    - https://swisskyrepo.github.io/PayloadsAllTheThings/HTTP%20Parameter%20Pollution/#parameter-pollution-table
  tags: asvs,5.1.1
  description: |
    Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables).

http:
  - raw:
    - |
      POST HTTP/1.1
      Host: {{Hostname}}
      Content-Type: application/x-www-form-urlencoded

      {{body_variant}}

    payloads:
      parameters: 'templates/dast/assets/5.1.1Parameters.txt'
      
      body_variant:
        - '{{parameters}}=x&{{parameters}}=Polluted_1'
        - '{{parameters}}[]=x&{{parameters}}=Polluted_2'
        - '{{parameters}}=x&{{parameters}}[]=Polluted_2'
        - '{{parameters}}[]=x&{{parameters}}[]=Polluted_2'
        - '{{parameters}}[]=[x,Polluted_1]&{{parameters}}[]=Polluted_2'
        - '{{parameters}}=x,Polluted_1&{{parameters}}=Polluted_2'
        - '{{parameters}}=x%26{{parameters}}=Polluted_2'
        - |
            { "{{parameters}}" :"x" , "{{parameters}}": "Polluted_1" }'

Relevant log output

Environment

- OS: Windows
- Nuclei: 3.3.10
- Go: 1.24

Anything else?

I have written the same purpose for a GET request, which, in my opinion, is not qualified nor clean. In my view, DAST and fuzzing should be capable of understanding payload combinations and preprocessing before preparing the HTTP request.
Additionally, I attempted to use a variable as a wordlist input. However, the content of my wordlist does not load properly; instead, it simply replaces the variable with the literal string templates/dast/assets/5.1.1Parameters.txt which is incorrect!

My GET request template looks like this:

http:
  - method: GET
    path:
      - "{{BaseURL}}?{{parameters}}=x&{{parameters}}=Polluted_1"
      - "{{BaseURL}}?{{parameters}}[]=x&{{parameters}}=Polluted_2"
      - "{{BaseURL}}?{{parameters}}=x&{{parameters}}[]=Polluted_2"
      - "{{BaseURL}}?{{parameters}}[]=x&{{parameters}}[]=Polluted_2"
      - "{{BaseURL}}?{{parameters}}=x, Polluted_1&{{parameters}}=Polluted_2"
      - "{{BaseURL}}?{{parameters}}=x%26{{parameters}}=Polluted_2"
      - "{{BaseURL}}?{{parameters}}[1]=x&{{parameters}}[1]=Polluted_2"

    payloads:
      parameters: 'templates/dast/assets/5.1.1Parameters.txt'

[MasoudAbdaal]

@ehsandeep

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions!

[github-actions]

This issue has been automatically closed due to inactivity. If you think this is a mistake or would like to continue the discussion, please comment or feel free to reopen it.