2025-02-13 18:46:28 +05:30
|
|
|
package server
|
|
|
|
|
|
|
|
|
|
import (
|
2025-04-07 22:39:32 +05:30
|
|
|
"context"
|
|
|
|
|
"net/url"
|
2025-02-13 18:46:28 +05:30
|
|
|
"path"
|
2025-04-10 17:09:02 +05:30
|
|
|
"strings"
|
2025-02-13 18:46:28 +05:30
|
|
|
|
|
|
|
|
"github.com/projectdiscovery/gologger"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/internal/server/scope"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/input/types"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (s *DASTServer) consumeTaskRequest(req PostRequestsHandlerRequest) {
|
|
|
|
|
defer s.endpointsInQueue.Add(-1)
|
|
|
|
|
|
2025-04-07 22:39:32 +05:30
|
|
|
parsedURL, err := url.Parse(req.URL)
|
2025-02-13 18:46:28 +05:30
|
|
|
if err != nil {
|
2025-04-07 22:39:32 +05:30
|
|
|
gologger.Warning().Msgf("Could not parse url: %s\n", err)
|
2025-02-13 18:46:28 +05:30
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-07 22:39:32 +05:30
|
|
|
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
|
|
|
|
|
gologger.Warning().Msgf("Invalid scheme: %s\n", parsedURL.Scheme)
|
2025-02-13 18:46:28 +05:30
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check filenames and don't allow non-interesting files
|
2025-04-07 22:39:32 +05:30
|
|
|
extension := path.Base(parsedURL.Path)
|
2025-02-13 18:46:28 +05:30
|
|
|
if extension != "/" && extension != "" && scope.IsUninterestingPath(extension) {
|
2025-04-07 22:39:32 +05:30
|
|
|
gologger.Warning().Msgf("Uninteresting path: %s\n", parsedURL.Path)
|
2025-02-13 18:46:28 +05:30
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-07 22:39:32 +05:30
|
|
|
inScope, err := s.scopeManager.Validate(parsedURL)
|
2025-02-13 18:46:28 +05:30
|
|
|
if err != nil {
|
|
|
|
|
gologger.Warning().Msgf("Could not validate scope: %s\n", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !inScope {
|
2025-04-07 22:39:32 +05:30
|
|
|
gologger.Warning().Msgf("Request is out of scope: %s\n", parsedURL.String())
|
2025-02-13 18:46:28 +05:30
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-07 22:39:32 +05:30
|
|
|
gologger.Verbose().Msgf("Fuzzing request: %s\n", parsedURL.String())
|
2025-02-13 18:46:28 +05:30
|
|
|
|
|
|
|
|
s.endpointsBeingTested.Add(1)
|
|
|
|
|
defer s.endpointsBeingTested.Add(-1)
|
|
|
|
|
|
|
|
|
|
// Fuzz the request finally
|
2025-04-07 22:39:32 +05:30
|
|
|
if s.nucleiExecutor != nil && req.RawRequest != "" {
|
|
|
|
|
parsedReq, err := types.ParseRawRequestWithURL(req.RawRequest, req.URL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
gologger.Warning().Msgf("Could not parse raw request: %s\n", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s.deduplicator.isDuplicate(parsedReq) {
|
|
|
|
|
gologger.Warning().Msgf("Duplicate request detected: %s %s\n", parsedReq.Request.Method, parsedReq.URL.String())
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = s.nucleiExecutor.ExecuteScan(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
gologger.Warning().Msgf("Could not run nuclei: %s\n", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else if s.passiveNuclei != nil && req.RawResponse != "" {
|
2025-04-10 17:09:02 +05:30
|
|
|
var reqRespBuilder strings.Builder
|
|
|
|
|
reqRespBuilder.WriteString(req.RawRequest)
|
|
|
|
|
reqRespBuilder.WriteString("\n\n")
|
|
|
|
|
reqRespBuilder.WriteString(req.RawResponse)
|
|
|
|
|
|
|
|
|
|
results, err := s.passiveNuclei.Execute(context.Background(), reqRespBuilder.String(), req.URL)
|
2025-04-07 22:39:32 +05:30
|
|
|
if err != nil {
|
|
|
|
|
gologger.Warning().Msgf("Could not run nuclei: %s\n", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
for _, result := range results {
|
|
|
|
|
if err := s.options.OutputWriter.Write(result); err != nil {
|
|
|
|
|
gologger.Warning().Msgf("Could not write result: %s\n", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-02-13 18:46:28 +05:30
|
|
|
}
|
|
|
|
|
}
|
