Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug fix in url path and adds integration tests #3331

Merged
merged 6 commits into from
Feb 20, 2023
Merged

bug fix in url path and adds integration tests #3331

merged 6 commits into from
Feb 20, 2023

Conversation

tarunKoyalwar
Copy link
Member

@tarunKoyalwar tarunKoyalwar commented Feb 16, 2023
edited
Loading

Proposed changes

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@tarunKoyalwar tarunKoyalwar changed the base branch from main to dev February 16, 2023 21:13
@tarunKoyalwar tarunKoyalwar self-assigned this Feb 16, 2023
@tarunKoyalwar
Copy link
Member Author

tarunKoyalwar commented Feb 16, 2023
edited
Loading

template used in integration test

nuclei/integration_tests/http/raw-unsafe-path.yaml

Lines 19 to 50 in 35dee8b

# Test all unsafe URL Handling Edgecases
requests:
- raw:
# relative path without leading slash
- |+
GET 1337 HTTP/1.1
Host: scanme.sh
# same but with param
- |+
GET 1337?with=param HTTP/1.1
Host: scanme.sh
# url encoded characters in path
- |+
GET /some%0A/%0D HTTP/1.1
Host: scanme.sh
# test unsupported chars in path
- |+
GET /%20test%0a HTTP/1.1
Host: scanme.sh
# test payload integrity params
- |+
GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
Host: scanme.sh
# test for missing trailing slash
- |+
GET /test/..;/..;/ HTTP/1.1
Host: scanme.sh
Origin: {{BaseURL}}
unsafe: true
matchers:

ehsandeep
ehsandeep approved these changes Feb 17, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

./nuclei -t test.yaml -u http://google.com -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.9

		projectdiscovery.io

[INF] Using Nuclei Engine 2.8.9 (latest)
[INF] Using Nuclei Templates 9.3.7 (latest)
[INF] Templates added in last update: 58
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] [C] Dumped HTTP request for http://google.com/1337

GET 1337 HTTP/1.1
Host: google.com

[INF] No results found. Better luck next time!

@tarunKoyalwar tarunKoyalwar marked this pull request as draft February 17, 2023 19:42
@tarunKoyalwar tarunKoyalwar linked an issue Feb 17, 2023 that may be closed by this pull request
Changed Encoding Handling since v2.8.8 Breaks Nuclei-Templates #3329
Closed
@tarunKoyalwar tarunKoyalwar changed the title fix extra slash in unsafe request bug fix in url path and adds integration tests Feb 17, 2023
@tarunKoyalwar
Copy link
Member Author

@ehsandeep @Mzack9999 , all url encoding edgecases supported and their behaviour are documented in integration test yaml file along with some explaination at

testcases for unsafe raw requests

nuclei/integration_tests/http/raw-unsafe-path.yaml

Lines 1 to 58 in 9905447

id: raw-unsafe-path
info:
name: Test RAW Unsafe Paths
author: pd-team
severity: info
description: >
- https://github.com/projectdiscovery/nuclei/pull/3211
- https://github.com/projectdiscovery/nuclei/pull/3127
reference:
# adding expected results here for context and debugging
- "1337"
- "1337?with=param"
- "/some%0A/%0D"
- "/%20test%0a"
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
- "/test/..;/..;/"
- "/xyz/%u2s/%invalid"
# Test all unsafe URL Handling Edgecases
requests:
- raw:
# relative path without leading slash
- |+
GET 1337 HTTP/1.1
Host: scanme.sh
# same but with param
- |+
GET 1337?with=param HTTP/1.1
Host: scanme.sh
# url encoded characters in path
- |+
GET /some%0A/%0D HTTP/1.1
Host: scanme.sh
# test unsupported chars in path
- |+
GET /%20test%0a HTTP/1.1
Host: scanme.sh
# test payload integrity params
- |+
GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
Host: scanme.sh
# test for missing trailing slash
- |+
GET /test/..;/..;/ HTTP/1.1
Host: scanme.sh
Origin: {{BaseURL}}
# test relative path with invalid/corrupted characters
- |+
GET /xyz/%u2s/%invalid HTTP/1.1
Host: scanme.sh
unsafe: true
matchers:
- type: status
status:
- 200

testcases for other/regular requests

nuclei/integration_tests/http/http-paths.yaml

Lines 1 to 84 in 9905447

id: raw-unsafe-path
info:
name: Test RAW Unsafe Paths
author: pd-team
severity: info
description: >
- https://github.com/projectdiscovery/nuclei/pull/3211
- https://github.com/projectdiscovery/nuclei/pull/3127
reference:
# adding expected results here for context and debugging
- "/1337?with=param"
- "/some%0A/%0D"
- "/%73%6f%6d%65%0A/%0D"
- "/%00test%20"
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
- "/test/..;/..;/"
- "/xyz/%25u2s/%25invalid"
# duplicating here because same results are expected even if http request is written in different format
- "/1337?with=param"
- "/some%0A/%0D"
- "/%73%6f%6d%65%0A/%0D"
- "/%00test%20"
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
- "/test/..;/..;/"
- "/xyz/%25u2s/%25invalid"
# Test all templates with FullURLs
requests:
- raw:
# relative path without leading slash with param
# If relative path does not have `/` prefix it is autocorrected
- |+
GET 1337?with=param HTTP/1.1
Host: scanme.sh
# url encoded characters in path
- |+
GET /some%0A/%0D HTTP/1.1
Host: scanme.sh
# percent encoded characters in path
# In URL encoding only key characters are encoded
# while in percent encoding all characters are url encoded (similar to burp decoder)
- |+
GET /%73%6f%6d%65%0A/%0D HTTP/1.1
Host: scanme.sh
# test null and % chars in path
- |+
GET /%00test%20 HTTP/1.1
Host: scanme.sh
# test payload integrity in parameter
- |+
GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
Host: scanme.sh
# test for missing trailing slash
- |+
GET /test/..;/..;/ HTTP/1.1
Host: scanme.sh
Origin: {{BaseURL}}
# test relative path with invalid/corrupted characters
# In such case instead of error or panic nuclei escaped unsupported character (i.e /xyz/%25u2s/%25invalid)
# if template requires this condition to not escape unsupported characters. It can only be done in unsafe raw requests
- |+
GET /xyz/%u2s/%invalid HTTP/1.1
Host: scanme.sh
matchers:
- type: status
status:
- 200
# Same testcases as mentioned above but in path based request format
- method: GET
path:
- "{{BaseURL}}/1337?with=param"
- "{{BaseURL}}/some%0A/%0D"
- "{{BaseURL}}/%73%6f%6d%65%0A/%0D"
- "{{BaseURL}}/%00test%20"
- "{{BaseURL}}/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
- "{{BaseURL}}/test/..;/..;/"
- "{{BaseURL}}/xyz/%u2s/%invalid"
matchers:
- type: status
status:
- 200

@tarunKoyalwar tarunKoyalwar marked this pull request as ready for review February 17, 2023 21:12
@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 17, 2023
Closed
@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 20, 2023
Closed
@ehsandeep ehsandeep merged commit 21b03a2 into dev Feb 20, 2023
@ehsandeep ehsandeep deleted the issue-3326-unsafe-slash branch February 20, 2023 16:56
@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 20, 2023
Closed
@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 28, 2023
Closed
@tarunKoyalwar tarunKoyalwar mentioned this pull request Mar 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@Mzack9999 Mzack9999 Mzack9999 approved these changes

Assignees

@tarunKoyalwar tarunKoyalwar

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@tarunKoyalwar @ehsandeep @Mzack9999