nuclei

mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-17 17:45:28 +00:00

Author	SHA1	Message	Date
Tarun Koyalwar	19247ae74b	Path-Based Fuzzing SQL fix (#6400 ) * setup claude * migrate to using errkit * fix unused imports + lint errors * update settings.json * fix url encoding issue * fix lint error * fix the path fuzzing component * fix lint error	2025-08-25 13:36:58 +05:30
Sandeep Singh	b4644af80a	Lint + test fixes after utils dep update (#6393 ) * fix: remove undefined errorutil.ShowStackTrace * feat: add make lint support and integrate with test * refactor: migrate errorutil to errkit across codebase - Replace deprecated errorutil with modern errkit - Convert error declarations from var to func for better compatibility - Fix all SA1019 deprecation warnings - Maintain error chain support and stack traces * fix: improve DNS test reliability using Google DNS - Configure test to use Google DNS (8.8.8.8) for stability - Fix nil pointer issue in DNS client initialization - Keep production defaults unchanged * fixing logic * removing unwanted branches in makefile --------- Co-authored-by: Mzack9999 <mzack9999@protonmail.com>	2025-08-20 05:28:23 +05:30
Dwi Siswanto	6a6fa4d38f	feat(fuzz): eval variables (#6358 ) * feat(fuzz): eval vars for rule keys & values Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: re-fmt fuzzing/dast errors Signed-off-by: Dwi Siswanto <git@dw1.io> * test(fuzz): adds `TestEvaluateVariables` Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-08-16 14:41:22 +05:30
HD Moore	5b89811b90	Support concurrent Nuclei engines in the same process (#6322 ) * support for concurrent nuclei engines * clarify LfaAllowed race * remove unused mutex * update LfaAllowed logic to prevent races until it can be reworked for per-execution ID * Update pkg/templates/parser.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * debug tests * debug gh action * fixig gh template test * using atomic * using synclockmap * restore tests concurrency * lint * wiring executionId in js fs --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Mzack9999 <mzack9999@protonmail.com>	2025-07-19 00:10:58 +05:30
HD Moore	6bf3f14798	avoid data races by using request clones	2025-07-15 02:34:29 -05:00
gopherorg	1079498182	refactor: use maps.Copy for cleaner map handling (#6283 ) Signed-off-by: gopherorg <gopherworld@icloud.com>	2025-07-12 02:50:47 +05:30
HD Moore	f26996cb89	Remove singletons from Nuclei engine (continuation of #6210 ) (#6296 ) * introducing execution id * wip * . * adding separate execution context id * lint * vet * fixing pg dialers * test ignore * fixing loader FD limit * test * fd fix * wip: remove CloseProcesses() from dev merge * wip: fix merge issue * protocolstate: stop memguarding on last dialer delete * avoid data race in dialers.RawHTTPClient * use shared logger and avoid race conditions * use shared logger and avoid race conditions * go mod * patch executionId into compiled template cache * clean up comment in Parse * go mod update * bump echarts * address merge issues * fix use of gologger * switch cmd/nuclei to options.Logger * address merge issues with go.mod * go vet: address copy of lock with new Copy function * fixing tests * disable speed control * fix nil ExecuterOptions * removing deprecated code * fixing result print * default logger * cli default logger * filter warning from results * fix performance test * hardcoding path * disable upload * refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg` Signed-off-by: Dwi Siswanto <git@dw1.io> * Revert "disable upload" This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682. * Revert "hardcoding path" This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00. --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Mzack9999 <mzack9999@protonmail.com> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>	2025-07-10 01:17:26 +05:30
Dwi Siswanto	87ed0b2bb9	build: bump all direct modules (#6290 ) * chore: fix non-constant fmt string in call Signed-off-by: Dwi Siswanto <git@dw1.io> * build: bump all direct modules Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(hosterrorscache): update import path Signed-off-by: Dwi Siswanto <git@dw1.io> * fix(charts): break changes Signed-off-by: Dwi Siswanto <git@dw1.io> * build: pinned `github.com/zmap/zcrypto` to v0.0.0-20240512203510-0fef58d9a9db Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: golangci-lint auto fixes Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: satisfy lints Signed-off-by: Dwi Siswanto <git@dw1.io> * build: migrate `github.com/xanzy/go-gitlab` => `gitlab.com/gitlab-org/api/client-go` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(json): update build constraints Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: dont panicking on close err Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-07-01 00:40:44 +07:00
曹家巧	4ff80784ae	refactor: use the built-in max/min to simplify the code (#6272 ) Signed-off-by: xiaoxiangirl <caojiaqiao@outlook.com>	2025-06-24 05:49:06 +05:30
Nakul Bharti	c242b112cc	fixed hex dump issue (#6273 )	2025-06-19 20:07:59 +05:30
Shubham Rasal	f89a6d33e9	Use proxy for dns and ssl templates (#6255 ) * Use proxy for dns and ssl templates - while using template execute level function we need to override custom dialer * rename overridedialer to customdialer * Add proxy into hash - proxy client is shared between non proxy requests * add dialer into request object - use request.dialer instead of global variable * resolve comments * rename dialer	2025-06-16 22:24:52 +05:30
tongjicoder	3be29abfc9	refactor: use slices.Contains to simplify code Signed-off-by: tongjicoder <tongjicoder@icloud.com>	2025-05-27 17:16:26 +08:00
circleous	b03c30418b	fix: fallback set SNI to host if not specified when using socks proxy (#6218 )	2025-05-15 16:46:49 +05:30
Sandeep Singh	4801cc65ef	feat: fixed max-host-error blocking + progress mismatch + misc (#6193 ) * feat: fixed max-host-error blocking wrong port for template with error * feat: log total results with time taken at end of execution * bugfix: skip non-executed requests with progress in flow protocol * feat: fixed request calculation in http protocol for progress * misc adjustments --------- Co-authored-by: Ice3man <nizamulrana@gmail.com>	2025-05-07 17:22:15 +05:30
Dogan Can Bakir	a9718d3664	set headers for fuzzing request (#5988 ) Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2025-03-07 20:54:35 +05:30
Ice3man	5f0b7eb19b	feat: added initial live DAST server implementation (#5772 ) * feat: added initial live DAST server implementation * feat: more logging + misc additions * feat: auth file support enhancements for more complex scenarios + misc * feat: added io.Reader support to input providers for http * feat: added stats db to fuzzing + use sdk for dast server + misc * feat: more additions and enhancements * misc changes to live server * misc * use utils pprof server * feat: added simpler stats tracking system * feat: fixed analyzer timeout issue + missing case fix * misc changes fix * feat: changed the logics a bit + misc changes and additions * feat: re-added slope checks + misc * feat: added baseline measurements for time based checks * chore(server): fix typos Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * fix(templates): potential DOM XSS Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * fix(authx): potential NIL deref Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * feat: misc review changes * removed debug logging * feat: remove existing cookies only * feat: lint fixes * misc * misc text update * request endpoint update * feat: added tracking for status code, waf-detection & grouped errors (#6028) * feat: added tracking for status code, waf-detection & grouped errors * lint error fixes * feat: review changes + moving to package + misc --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> * fix var dump (#5921) * fix var dump * fix dump test * Added filename length restriction for debug mode (-srd flag) (#5931) Co-authored-by: Andrey Matveenko <an.matveenko@vkteam.ru> * more updates * Update pkg/output/stats/waf/waf.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Dogan Can Bakir <65292895+dogancanbakir@users.noreply.github.com> Co-authored-by: 9flowers <51699499+Lercas@users.noreply.github.com> Co-authored-by: Andrey Matveenko <an.matveenko@vkteam.ru> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>	2025-02-13 18:46:28 +05:30
Ice3man	a2c8f1e4cd	feat: added tracking for status code, waf-detection & grouped errors (#6028 ) * feat: added tracking for status code, waf-detection & grouped errors * lint error fixes * feat: review changes + moving to package + misc --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2025-02-13 17:13:39 +05:30
Dwi Siswanto	622c5503fa	perf(): replace `encoding/json` w/ `sonic` or `go-json` (fallback) (#6019 ) perf(): replace `encoding/json` w/ sonic Signed-off-by: Dwi Siswanto <git@dw1.io> feat(utils): add `json` pkg (sonic wrapper) Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(): use `sonic` wrapper instead Signed-off-by: Dwi Siswanto <git@dw1.io> chore(): replace `sonic.ConfigStd` -> `json` (wrapper) Signed-off-by: Dwi Siswanto <git@dw1.io> test(model): adjust expected marshal'd JSON Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(json): dynamic backend; `sonic` -> `go-json` (fallback) Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(json): merge config - as its not usable Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(json): rm go version constraints Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: go mod tidy Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-02-11 03:01:37 +05:30
Sandeep Singh	04db1bb21d	feat: added rebuildGenerators for misc rebuilding (#6037 ) Co-authored-by: Ice3man <nizamulrana@gmail.com>	2025-02-08 21:05:23 +05:30
Dwi Siswanto	052fd8b79a	feat(hosterrorscache): add `Remove` and `MarkFailedOrRemove` methods (#5984 ) * feat(hosterrorscache): add `Remove` and `MarkFailedOrRemove` methods and also deprecating `MarkFailed` Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(): unwraps `hosterrorscache\.MarkFailed` invocation Signed-off-by: Dwi Siswanto <git@dw1.io> feat(hosterrorscache): add sync in `Check` and `MarkFailedOrRemove` methods * test(hosterrorscache): add concurrent test for `Check` method * refactor(hosterrorscache): do NOT change `MarkFailed` behavior Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(*): use `MarkFailedOrRemove` explicitly Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-01-31 15:46:57 +05:30
Dogan Can Bakir	525d2caf66	fix unresolved `interactsh-url` for raw http templates (#5938 )	2024-12-24 20:27:13 +05:30
Dwi Siswanto	f21a82aac3	fix(httpclientpool): rebuild malformed Location URL (#5902 ) Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Doğan Can Bakır <dogancanbakir@protonmail.com>	2024-12-19 20:31:41 +05:30
Shubham Rasal	be1f634eae	Add Alive Proxy into Options (#5903 ) * Move proxy variable from global to options - Provides ability to pass diff proxy in single nuclei instance using sdk * add type check (resolve comments)	2024-12-13 04:23:27 +05:30
Ice3man	b046f7686f	feat: Added time based delay analyzer to fuzzing implementation (#5781 ) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test * feat: added analyzers implementation for fuzzing * feat: misc changes to analyzer * feat: misc additions of units + tests fix * misc changes to implementation	2024-11-19 11:51:32 +05:30
Dwi Siswanto	2c832f5590	refactor(vardump): use `godump` lib (#5676 ) * refactor(vardump): use `godump` lib also increate limit char to `255`. Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(vardump): add global var `Limit` Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(protocols): rm newline Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(types): add `VarDumpLimit` option Signed-off-by: Dwi Siswanto <git@dw1.io> * test(vardump): add test cases Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: tidy up mod Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-10-14 19:31:36 +05:30
Dwi Siswanto	cc5c5509dc	feat: global matchers (#5701 ) * feat: global matchers Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com> * feat(globalmatchers): make `Callback` as type Signed-off-by: Dwi Siswanto <git@dw1.io> * feat: update `passive` term to `(matchers-)static` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): add `origin-template-` event also use `Set` method instead of `maps.Clone` Signed-off-by: Dwi Siswanto <git@dw1.io> feat: update `matchers-static` term to `global-matchers` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): clone event before `operator.Execute` Signed-off-by: Dwi Siswanto <git@dw1.io> * fix(tmplexec): don't store `matched` on `global-matchers` templ This will end up generating 2 events from the same `scan.ScanContext` if one of the templates has `global-matchers` enabled. This way, non- `global-matchers` templates can enter the `writeFailureCallback` func to log failure output. Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): initializes `requests` on `New` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): add `hasStorage` method Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(templates): rename global matchers checks method Signed-off-by: Dwi Siswanto <git@dw1.io> * fix(loader): handle nil `templates.Template` pointer Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com>	2024-10-14 19:25:46 +05:30
Tarun Koyalwar	1f945d6d50	consider protocolType in max host error (#5668 ) * consider protocolType in max host error * add mutex when updating internal-event	2024-09-28 18:50:35 +05:30
Dwi Siswanto	c9f67897c4	fix(http): prevent `addCNameIfAvailable` from using closed `Dialer` (#5665 ) added a check in `addCNameIfAvailable` to ensure the `Dialer` isnot NIL before attempting to fetch DNS data. this prevents potential panics (ex. SIGSEGV) when the `Dialer` is closed due to an interruption. Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-09-25 22:00:39 +05:30
Ramana Reddy	3d2f31a56f	fix missing template_url for pd signed templates when executed from custom path (#5644 )	2024-09-19 18:58:20 +05:30
mzack9999	5e102b782b	fixing race + nil crash	2024-08-21 16:09:47 +02:00
Doğan Can Bakır	46782ff90c	use sync.Once	2024-08-21 11:26:17 +03:00
Doğan Can Bakır	3064788d35	fix race condition	2024-08-19 23:02:27 +03:00
Ramana Reddy	f29b94521e	fix unresolved variables in dast templates (#5443 ) * fix unresolved variables in dast templates * dedupe interactsh urls * misc update	2024-08-16 18:19:44 +05:30
Dwi Siswanto	1af29f97a9	feat(http): add `skip-secret-file` field (#5522 ) * feat(http): add `BypassSecretFile` field Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(http): conditionally apply auth strategies Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(http): rename `BypassSecretFile` field to `SkipSecretFile` Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-08-16 18:10:48 +05:30
Ramana Reddy	2609d2d135	feat: add support for multiple auth strategies per target from secrets file (#5500 )	2024-08-16 11:59:15 +05:30
Dwi Siswanto	6d325a4ebe	feat(http): assign `customHeaders` to the map directly (#5445 ) also add skip expr if header key is "Host" Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-07-26 22:24:35 +07:00
Mzack9999	bc229a46ca	Merge pull request #5331 from projectdiscovery/use_containsall use `stringsutil.ContainsAll`	2024-07-15 13:21:03 +02:00
Dogan Can Bakir	f080d614c3	introduce timeouts config in types.Options (#5228 ) * introduce timeout variants * update instances and add codeexectimeout * fix test * default to 10s * minor * make timeouts pluggable and rename * remove residual code --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-07-15 15:57:15 +05:30
mzack	ead444b88b	Merge branch 'dev' into use_containsall	2024-07-12 13:05:14 +02:00
Tarun Koyalwar	c9a9bd3bfc	include cname in http output if available (#5389 )	2024-07-10 20:43:22 +05:30
Kristinn Vikar Jónsson	381ebba6a2	Clustering performance improvements (#5319 ) * Clustering performance improvements * IsClusterable filters out beforehand, update test to mirror that * inverse IsClusterable This makes much more sense * HashMap based clustering * furthur improvements to clustering --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-06-27 13:14:43 +05:30
Doğan Can Bakır	c7006a9168	use `stringsutil.ContainsAll`	2024-06-25 12:26:18 +03:00
Mzack9999	52975373ff	Merge branch 'dev' into feat-4808-planner	2024-06-13 17:19:43 +02:00
Ice3man	9f3f7fce06	Fuzzing additions & enhancements (#5139 ) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test	2024-06-11 04:43:46 +05:30
Tarun Koyalwar	8720e4f863	fix panic: ref #5217 (#5230 )	2024-06-02 17:11:56 +05:30
mzack	46e2a54bfe	Merge branch 'dev' into feat-4808-planner	2024-05-25 02:45:54 +02:00
Tarun Koyalwar	23bd0336fb	multiple bug fixes + performance improvements (#5148 ) * prototype errkit * complete errkit implementation * add cause to all timeouts * fix request timeout annotation @timeout * increase responseHeaderTimeout to 8 for stability * rawhttp error related improvements * feat: add port status caching * add port status caching to http * migrate to new utils/errkit * remote dialinterface + error cause * debug dir support using .gitignore debug-* * make nuclei easy to debug * debug dir update .gitignore * temp change (to revert) * Revert "temp change (to revert)" This reverts commit d3131f777713b9f80e2275142e80f36340a76d36. * use available context instead of new one * bump fastdialer * fix hosterrorscache + misc improvements * add 'address' field in error log * fix js vague errors + pgwrap driver * fix max host error + misc updates * update tests as per changes * fix request annotation context * remove closed dialer reference * fix sdk panic issue * bump retryablehttp-go,utils,fastdialer --------- Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>	2024-05-25 00:29:04 +05:30
Mzack9999	4fc16e36e1	Merge branch 'dev' into feat-4808-planner	2024-05-23 09:08:53 +02:00
Ice3man	4170e1cbb8	more goroutine leak fixes to nuclei (#5188 ) * more goroutine leak fixes to nuclei * run only dns templates for test * updated httpx to dev * dep update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2024-05-20 00:48:40 +05:30
Mzack9999	47ca8fe842	fix non gc-able dialer closes #5165	2024-05-15 21:25:40 +02:00

1 2 3

103 Commits