Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for navigation history to matchers #1432

Merged
merged 4 commits into from
Dec 30, 2021
Merged

Adding support for navigation history to matchers #1432

merged 4 commits into from
Dec 30, 2021

Conversation

Mzack9999
Copy link
Member

@Mzack9999 Mzack9999 commented Dec 29, 2021
edited
Loading

Proposed changes

This PR adds support for navigation history (HTTP raw request/responses) to matchers

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes - failing on known ones (interactsh)
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

How to reproduce

  1. Use the following template:
id: test

info:
  name: test
  author: pdteam
  severity: info
  reference: test
  tags: headless

headless:
  - steps:
      - args:
          url: "{{BaseURL}}/test"
        action: navigate
      - action: waitload
    matchers:
      - type: word
        part: history
        words:
          - "test"
  1. Run nuclei with a headless matcher on history:
$ echo http://localhost:8000 | go run . -duc -no-interactsh -t headless.yaml -headless

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.8-dev

                projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.8-dev (development)
[INF] Using Nuclei Templates 8.7.9 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 19
[INF] Templates loaded for scan: 1
[2021-12-29 09:55:33] [test] [headless] [info] http://localhost:8000

@Mzack9999 Mzack9999 added the Type: Enhancement Most issues will probably ask for additions or changes. label Dec 29, 2021
@Mzack9999 Mzack9999 self-assigned this Dec 29, 2021
@Mzack9999 Mzack9999 linked an issue Dec 29, 2021 that may be closed by this pull request
Headless matchers implementation is limited to final HTML #1312
Closed
@Mzack9999 Mzack9999 added the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Dec 29, 2021
LuitelSamikshya
LuitelSamikshya approved these changes Dec 29, 2021
View reviewed changes
Copy link
Contributor

@LuitelSamikshya LuitelSamikshya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@ehsandeep ehsandeep merged commit b0f16b7 into dev Dec 30, 2021
@ehsandeep ehsandeep added Status: Completed Nothing further to be done with this issue. Awaiting to be closed. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels Dec 30, 2021
forgedhallpass
forgedhallpass reviewed Jan 6, 2022
View reviewed changes
v2/pkg/protocols/headless/engine/rules.go
if respPayloads != nil {
rawResp.WriteString("HTTP/1.1 ")
rawResp.WriteString(fmt.Sprint(respPayloads.ResponseCode))
rawResp.WriteString(" " + respPayloads.ResponsePhrase + "+\n")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mzack9999

I think in the "+\n", the + sign is a mistake.

Also his might be more readable:

rawResp.WriteString(fmt.Sprintf("HTTP/1.1 %d %s\n", respPayloads.ResponseCode, respPayloads.ResponsePhrase))

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mzack9999

I think in the "+\n", the + sign is a mistake.

Nice catch - fixed in #1465

Also his might be more readable:

rawResp.WriteString(fmt.Sprintf("HTTP/1.1 %d %s\n", respPayloads.ResponseCode, respPayloads.ResponsePhrase))

^ @Ice3man543 - This was implemented as requested in #1432 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must disagree with that comment. In the original version (which actually coincides with my recommendation ;-) ), it's clearly visible that it describes one HTTP request line. Splitting it into multiple lines, not only makes the code longer (without any relevant performance benefit), but clutters the logic and makes it harder to follow.

@Mzack9999 Mzack9999 mentioned this pull request Jan 7, 2022
Merged
4 tasks
@Mzack9999 Mzack9999 mentioned this pull request Jan 26, 2022
Merged
4 tasks
@ehsandeep ehsandeep mentioned this pull request Dec 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@forgedhallpass forgedhallpass forgedhallpass left review comments

@ehsandeep ehsandeep ehsandeep approved these changes

@LuitelSamikshya LuitelSamikshya LuitelSamikshya approved these changes

@Ice3man543 Ice3man543 Awaiting requested review from Ice3man543

Assignees

@Mzack9999 Mzack9999

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Headless matchers implementation is limited to final HTML
5 participants
@Mzack9999 @ehsandeep @forgedhallpass @Ice3man543 @LuitelSamikshya