nuclei/docs/template-guide/http/http-fuzzing.mdx

---
title: "HTTP Fuzzing"
---

### HTTP Fuzzing

Nuclei supports fuzzing of HTTP requests based on rules defined in the `fuzzing` section of the HTTP request. This allows creating templates for generic Web Application vulnerabilities like SQLi, SSRF, CMDi, etc without any information of the target like a classic web fuzzer.

#### Part

Part specifies what part of the request should be fuzzed based on the specified rules. Available options for this parameter are - 

1. **query** (`default`) - fuzz query parameters for URL

```yaml
fuzzing:
  - part: query # fuzz parameters in URL query
```

Support will be added for `path`,`header`,`body`,`cookie`, etc parts soon.

#### Type

Type specifies the type of replacement to perform for the fuzzing rule value. Available options for this parameter are - 

1. **replace** (`default`) - replace the value with payload
2. **prefix** - prefix the value with payload
3. **postfix** - postfix the value with payload
4. **infix** - infix the value with payload (place in between)

```yaml
fuzzing:
  - part: query
    type: postfix # Fuzz query and postfix payload to params
```

#### Mode

Mode specifies the mode in which to perform the replacements. Available modes are - 

1. **multiple** (`default`) - replace all values at once
2. **single** - replace one value at a time

```yaml
fuzzing:
  - part: query
    type: postfix
    mode: multiple # Fuzz query postfixing payloads to all parameters at once
```

> **Note**: default values are set/used when other options are not defined.

#### Filters

Multiple filters are supported to restrict the scope of fuzzing to only interesting parameter keys and values. Nuclei HTTP Fuzzing engine converts request parts into Keys and Values which then can be filtered by their related options.

The following filter fields are supported - 

1. **keys** - list of parameter names to fuzz (exact match)
2. **keys-regex** - list of parameter regex to fuzz 
3. **values** - list of value regex to fuzz

These filters can be used in combination to run highly targeted fuzzing based on the parameter input. A few examples of such filtering are provided below.

```yaml
# fuzzing command injection based on parameter name value
fuzzing:
  - part: query
    type: replace
    mode: single
    keys:
      - "daemon"
      - "upload"
      - "dir"
      - "execute"
      - "download"
      - "log"
      - "ip"
      - "cli"
      - "cmd"
```

```yaml
# fuzzing openredirects based on parameter name regex
fuzzing:
  - part: query
    type: replace
    mode: single
    keys-regex:
      - "redirect.*"
```

```yaml
# fuzzing ssrf based on parameter value regex
fuzzing:
  - part: query
    type: replace
    mode: single
    values:
      - "https?://.*"
```

#### Fuzz

Fuzz specifies the values to replace with a `type` for a parameter. It supports payloads, DSL functions, etc and allows users to fully utilize the existing nuclei feature-set for fuzzing purposes.

```yaml
# fuzz section for xss fuzzing with stop-at-first-match
payloads:
  reflection:
    - "6842'\"><9967"
stop-at-first-match: true
fuzzing:
  - part: query
    type: postfix
    mode: single
    fuzz:
      - "{{reflection}}"
```

```yaml
# using interactsh-url placeholder for oob testing
payloads:
  redirect:
    - "{{interactsh-url}}"
fuzzing:
  - part: query
    type: replace
    mode: single
    keys:
      - "dest"
      - "redirect"
      - "uri"
    fuzz:
      - "https://{{redirect}}"
```

```yaml
# using template-level variables for SSTI testing
variables:
  first: "{{rand_int(10000, 99999)}}"
  second: "{{rand_int(10000, 99999)}}"
  result: "{{to_number(first)*to_number(second)}}"

http:
    ...
    payloads:
      reflection:
        - '{{concat("{{", "§first§*§second§", "}}")}}'
    fuzzing:
      - part: query
        type: postfix
        mode: multiple
        fuzz:
          - "{{reflection}}"
```

#### Example **Fuzzing** template

An example sample template for fuzzing XSS vulnerabilities is provided below.

```yaml
id: fuzz-reflection-xss

info:
  name: Basic Reflection Potential XSS Detection
  author: pdteam
  severity: low

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    payloads:
      reflection:
        - "6842'\"><9967"
    stop-at-first-match: true
    fuzzing:
      - part: query
        type: postfix
        mode: single
        fuzz:
          - "{{reflection}}"
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{reflection}}"
      - type: word
        part: header
        words:
          - "text/html"
```

More complete examples are provided [here](/template-example/http/http-fuzzing)
docs migration 2023-08-18 02:43:28 +05:30			`---`
			`title: "HTTP Fuzzing"`
			`---`

			`### HTTP Fuzzing`

			Nuclei supports fuzzing of HTTP requests based on rules defined in the `fuzzing` section of the HTTP request. This allows creating templates for generic Web Application vulnerabilities like SQLi, SSRF, CMDi, etc without any information of the target like a classic web fuzzer.

			`#### Part`

			`Part specifies what part of the request should be fuzzed based on the specified rules. Available options for this parameter are -`

			1. query (`default`) - fuzz query parameters for URL

			```yaml
			`fuzzing:`
			`- part: query # fuzz parameters in URL query`
			```

			Support will be added for `path`,`header`,`body`,`cookie`, etc parts soon.

			`#### Type`

			`Type specifies the type of replacement to perform for the fuzzing rule value. Available options for this parameter are -`

			1. replace (`default`) - replace the value with payload
			`2. prefix - prefix the value with payload`
			`3. postfix - postfix the value with payload`
			`4. infix - infix the value with payload (place in between)`

			```yaml
			`fuzzing:`
			`- part: query`
			`type: postfix # Fuzz query and postfix payload to params`
			```

			`#### Mode`

			`Mode specifies the mode in which to perform the replacements. Available modes are -`

			1. multiple (`default`) - replace all values at once
			`2. single - replace one value at a time`

			```yaml
			`fuzzing:`
			`- part: query`
			`type: postfix`
			`mode: multiple # Fuzz query postfixing payloads to all parameters at once`
			```

			`> Note: default values are set/used when other options are not defined.`

			`#### Filters`

			`Multiple filters are supported to restrict the scope of fuzzing to only interesting parameter keys and values. Nuclei HTTP Fuzzing engine converts request parts into Keys and Values which then can be filtered by their related options.`

			`The following filter fields are supported -`

			`1. keys - list of parameter names to fuzz (exact match)`
			`2. keys-regex - list of parameter regex to fuzz`
			`3. values - list of value regex to fuzz`

			`These filters can be used in combination to run highly targeted fuzzing based on the parameter input. A few examples of such filtering are provided below.`

			```yaml
			`# fuzzing command injection based on parameter name value`
			`fuzzing:`
			`- part: query`
			`type: replace`
			`mode: single`
			`keys:`
			`- "daemon"`
			`- "upload"`
			`- "dir"`
			`- "execute"`
			`- "download"`
			`- "log"`
			`- "ip"`
			`- "cli"`
			`- "cmd"`
			```

			```yaml
			`# fuzzing openredirects based on parameter name regex`
			`fuzzing:`
			`- part: query`
			`type: replace`
			`mode: single`
			`keys-regex:`
			`- "redirect.*"`
			```

			```yaml
			`# fuzzing ssrf based on parameter value regex`
			`fuzzing:`
			`- part: query`
			`type: replace`
			`mode: single`
			`values:`
			`- "https?://.*"`
			```

			`#### Fuzz`

			Fuzz specifies the values to replace with a `type` for a parameter. It supports payloads, DSL functions, etc and allows users to fully utilize the existing nuclei feature-set for fuzzing purposes.

			```yaml
			`# fuzz section for xss fuzzing with stop-at-first-match`
			`payloads:`
			`reflection:`
			`- "6842'\"><9967"`
			`stop-at-first-match: true`
			`fuzzing:`
			`- part: query`
			`type: postfix`
			`mode: single`
			`fuzz:`
			`- "{{reflection}}"`
			```

			```yaml
			`# using interactsh-url placeholder for oob testing`
			`payloads:`
			`redirect:`
			`- "{{interactsh-url}}"`
			`fuzzing:`
			`- part: query`
			`type: replace`
			`mode: single`
			`keys:`
			`- "dest"`
			`- "redirect"`
			`- "uri"`
			`fuzz:`
			`- "https://{{redirect}}"`
			```

			```yaml
			`# using template-level variables for SSTI testing`
			`variables:`
			`first: "{{rand_int(10000, 99999)}}"`
			`second: "{{rand_int(10000, 99999)}}"`
			`result: "{{to_number(first)*to_number(second)}}"`

			`http:`
			`...`
			`payloads:`
			`reflection:`
			`- '{{concat("{{", "§first§*§second§", "}}")}}'`
			`fuzzing:`
			`- part: query`
			`type: postfix`
			`mode: multiple`
			`fuzz:`
			`- "{{reflection}}"`
			```

			`#### Example Fuzzing template`

			`An example sample template for fuzzing XSS vulnerabilities is provided below.`

			```yaml
			`id: fuzz-reflection-xss`

			`info:`
			`name: Basic Reflection Potential XSS Detection`
			`author: pdteam`
			`severity: low`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`
			`payloads:`
			`reflection:`
			`- "6842'\"><9967"`
			`stop-at-first-match: true`
			`fuzzing:`
			`- part: query`
			`type: postfix`
			`mode: single`
			`fuzz:`
			`- "{{reflection}}"`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "{{reflection}}"`
			`- type: word`
			`part: header`
			`words:`
			`- "text/html"`
			```

			`More complete examples are provided [here](/template-example/http/http-fuzzing)`