Update Nuclei cascading rule to include protocol information and allow alternative HTTP ports #920
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The nuclei rule had problems because it omitted the protocol and port information (#713). This PR splits it into two separate rules, one for http and one for https. This should make it more robust.
An alternative that would only require a single rule would be the following:
However, this would no longer allow us to trigger on alternative HTTP(S) ports like 8080, 8443, etc., since they have alternative service descriptors (
http-proxy
, ...) which would break the URL when based on{{attributes.service}}
as the protocol selector. I thus opted to split it into two separate rules.Closes #713.
Checklist
npm test
runs for the whole project.