url_encode does not encode properly for query parameters or form fields #979
Labels
Status: Completed
Nothing further to be done with this issue. Awaiting to be closed.
Projects
Describe the bug
The DSL functions url_encode and url_decode are backed by Go's url.PathEscape. As a result special characters such as
&
that might be included in attack payloads (e.g. command injection) won't be properly encoded for query parameters or form fields.Nuclei version
2.4.3
Screenshot of the error or bug
Using a payload such as
&& cat /etc/passwd
inside a command injection template, you might use something like this:With debug request option on it sends the request:
The payload is not correctly encoded.
The text was updated successfully, but these errors were encountered: