nuclei

mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-20 19:55:26 +00:00

Author	SHA1	Message	Date
Ice3man	5f0b7eb19b	feat: added initial live DAST server implementation (#5772 ) * feat: added initial live DAST server implementation * feat: more logging + misc additions * feat: auth file support enhancements for more complex scenarios + misc * feat: added io.Reader support to input providers for http * feat: added stats db to fuzzing + use sdk for dast server + misc * feat: more additions and enhancements * misc changes to live server * misc * use utils pprof server * feat: added simpler stats tracking system * feat: fixed analyzer timeout issue + missing case fix * misc changes fix * feat: changed the logics a bit + misc changes and additions * feat: re-added slope checks + misc * feat: added baseline measurements for time based checks * chore(server): fix typos Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * fix(templates): potential DOM XSS Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * fix(authx): potential NIL deref Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * feat: misc review changes * removed debug logging * feat: remove existing cookies only * feat: lint fixes * misc * misc text update * request endpoint update * feat: added tracking for status code, waf-detection & grouped errors (#6028) * feat: added tracking for status code, waf-detection & grouped errors * lint error fixes * feat: review changes + moving to package + misc --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> * fix var dump (#5921) * fix var dump * fix dump test * Added filename length restriction for debug mode (-srd flag) (#5931) Co-authored-by: Andrey Matveenko <an.matveenko@vkteam.ru> * more updates * Update pkg/output/stats/waf/waf.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Dogan Can Bakir <65292895+dogancanbakir@users.noreply.github.com> Co-authored-by: 9flowers <51699499+Lercas@users.noreply.github.com> Co-authored-by: Andrey Matveenko <an.matveenko@vkteam.ru> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>	2025-02-13 18:46:28 +05:30
Ice3man	a2c8f1e4cd	feat: added tracking for status code, waf-detection & grouped errors (#6028 ) * feat: added tracking for status code, waf-detection & grouped errors * lint error fixes * feat: review changes + moving to package + misc --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2025-02-13 17:13:39 +05:30
Dwi Siswanto	622c5503fa	perf(): replace `encoding/json` w/ `sonic` or `go-json` (fallback) (#6019 ) perf(): replace `encoding/json` w/ sonic Signed-off-by: Dwi Siswanto <git@dw1.io> feat(utils): add `json` pkg (sonic wrapper) Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(): use `sonic` wrapper instead Signed-off-by: Dwi Siswanto <git@dw1.io> chore(): replace `sonic.ConfigStd` -> `json` (wrapper) Signed-off-by: Dwi Siswanto <git@dw1.io> test(model): adjust expected marshal'd JSON Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(json): dynamic backend; `sonic` -> `go-json` (fallback) Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(json): merge config - as its not usable Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(json): rm go version constraints Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: go mod tidy Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-02-11 03:01:37 +05:30
Sandeep Singh	04db1bb21d	feat: added rebuildGenerators for misc rebuilding (#6037 ) Co-authored-by: Ice3man <nizamulrana@gmail.com>	2025-02-08 21:05:23 +05:30
Dwi Siswanto	052fd8b79a	feat(hosterrorscache): add `Remove` and `MarkFailedOrRemove` methods (#5984 ) * feat(hosterrorscache): add `Remove` and `MarkFailedOrRemove` methods and also deprecating `MarkFailed` Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(): unwraps `hosterrorscache\.MarkFailed` invocation Signed-off-by: Dwi Siswanto <git@dw1.io> feat(hosterrorscache): add sync in `Check` and `MarkFailedOrRemove` methods * test(hosterrorscache): add concurrent test for `Check` method * refactor(hosterrorscache): do NOT change `MarkFailed` behavior Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(*): use `MarkFailedOrRemove` explicitly Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2025-01-31 15:46:57 +05:30
Dogan Can Bakir	525d2caf66	fix unresolved `interactsh-url` for raw http templates (#5938 )	2024-12-24 20:27:13 +05:30
Dwi Siswanto	f21a82aac3	fix(httpclientpool): rebuild malformed Location URL (#5902 ) Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Doğan Can Bakır <dogancanbakir@protonmail.com>	2024-12-19 20:31:41 +05:30
Shubham Rasal	be1f634eae	Add Alive Proxy into Options (#5903 ) * Move proxy variable from global to options - Provides ability to pass diff proxy in single nuclei instance using sdk * add type check (resolve comments)	2024-12-13 04:23:27 +05:30
Ice3man	b046f7686f	feat: Added time based delay analyzer to fuzzing implementation (#5781 ) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test * feat: added analyzers implementation for fuzzing * feat: misc changes to analyzer * feat: misc additions of units + tests fix * misc changes to implementation	2024-11-19 11:51:32 +05:30
Dwi Siswanto	2c832f5590	refactor(vardump): use `godump` lib (#5676 ) * refactor(vardump): use `godump` lib also increate limit char to `255`. Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(vardump): add global var `Limit` Signed-off-by: Dwi Siswanto <git@dw1.io> * chore(protocols): rm newline Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(types): add `VarDumpLimit` option Signed-off-by: Dwi Siswanto <git@dw1.io> * test(vardump): add test cases Signed-off-by: Dwi Siswanto <git@dw1.io> * chore: tidy up mod Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-10-14 19:31:36 +05:30
Dwi Siswanto	cc5c5509dc	feat: global matchers (#5701 ) * feat: global matchers Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com> * feat(globalmatchers): make `Callback` as type Signed-off-by: Dwi Siswanto <git@dw1.io> * feat: update `passive` term to `(matchers-)static` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): add `origin-template-` event also use `Set` method instead of `maps.Clone` Signed-off-by: Dwi Siswanto <git@dw1.io> feat: update `matchers-static` term to `global-matchers` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): clone event before `operator.Execute` Signed-off-by: Dwi Siswanto <git@dw1.io> * fix(tmplexec): don't store `matched` on `global-matchers` templ This will end up generating 2 events from the same `scan.ScanContext` if one of the templates has `global-matchers` enabled. This way, non- `global-matchers` templates can enter the `writeFailureCallback` func to log failure output. Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): initializes `requests` on `New` Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(globalmatchers): add `hasStorage` method Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(templates): rename global matchers checks method Signed-off-by: Dwi Siswanto <git@dw1.io> * fix(loader): handle nil `templates.Template` pointer Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Ice3man543 <ice3man543@users.noreply.github.com>	2024-10-14 19:25:46 +05:30
Tarun Koyalwar	1f945d6d50	consider protocolType in max host error (#5668 ) * consider protocolType in max host error * add mutex when updating internal-event	2024-09-28 18:50:35 +05:30
Dwi Siswanto	c9f67897c4	fix(http): prevent `addCNameIfAvailable` from using closed `Dialer` (#5665 ) added a check in `addCNameIfAvailable` to ensure the `Dialer` isnot NIL before attempting to fetch DNS data. this prevents potential panics (ex. SIGSEGV) when the `Dialer` is closed due to an interruption. Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-09-25 22:00:39 +05:30
Ramana Reddy	3d2f31a56f	fix missing template_url for pd signed templates when executed from custom path (#5644 )	2024-09-19 18:58:20 +05:30
mzack9999	5e102b782b	fixing race + nil crash	2024-08-21 16:09:47 +02:00
Doğan Can Bakır	46782ff90c	use sync.Once	2024-08-21 11:26:17 +03:00
Doğan Can Bakır	3064788d35	fix race condition	2024-08-19 23:02:27 +03:00
Ramana Reddy	f29b94521e	fix unresolved variables in dast templates (#5443 ) * fix unresolved variables in dast templates * dedupe interactsh urls * misc update	2024-08-16 18:19:44 +05:30
Dwi Siswanto	1af29f97a9	feat(http): add `skip-secret-file` field (#5522 ) * feat(http): add `BypassSecretFile` field Signed-off-by: Dwi Siswanto <git@dw1.io> * feat(http): conditionally apply auth strategies Signed-off-by: Dwi Siswanto <git@dw1.io> * refactor(http): rename `BypassSecretFile` field to `SkipSecretFile` Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-08-16 18:10:48 +05:30
Ramana Reddy	2609d2d135	feat: add support for multiple auth strategies per target from secrets file (#5500 )	2024-08-16 11:59:15 +05:30
Dwi Siswanto	6d325a4ebe	feat(http): assign `customHeaders` to the map directly (#5445 ) also add skip expr if header key is "Host" Signed-off-by: Dwi Siswanto <git@dw1.io>	2024-07-26 22:24:35 +07:00
Mzack9999	bc229a46ca	Merge pull request #5331 from projectdiscovery/use_containsall use `stringsutil.ContainsAll`	2024-07-15 13:21:03 +02:00
Dogan Can Bakir	f080d614c3	introduce timeouts config in types.Options (#5228 ) * introduce timeout variants * update instances and add codeexectimeout * fix test * default to 10s * minor * make timeouts pluggable and rename * remove residual code --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-07-15 15:57:15 +05:30
mzack	ead444b88b	Merge branch 'dev' into use_containsall	2024-07-12 13:05:14 +02:00
Tarun Koyalwar	c9a9bd3bfc	include cname in http output if available (#5389 )	2024-07-10 20:43:22 +05:30
Kristinn Vikar Jónsson	381ebba6a2	Clustering performance improvements (#5319 ) * Clustering performance improvements * IsClusterable filters out beforehand, update test to mirror that * inverse IsClusterable This makes much more sense * HashMap based clustering * furthur improvements to clustering --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-06-27 13:14:43 +05:30
Doğan Can Bakır	c7006a9168	use `stringsutil.ContainsAll`	2024-06-25 12:26:18 +03:00
Mzack9999	52975373ff	Merge branch 'dev' into feat-4808-planner	2024-06-13 17:19:43 +02:00
Ice3man	9f3f7fce06	Fuzzing additions & enhancements (#5139 ) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test	2024-06-11 04:43:46 +05:30
Tarun Koyalwar	8720e4f863	fix panic: ref #5217 (#5230 )	2024-06-02 17:11:56 +05:30
mzack	46e2a54bfe	Merge branch 'dev' into feat-4808-planner	2024-05-25 02:45:54 +02:00
Tarun Koyalwar	23bd0336fb	multiple bug fixes + performance improvements (#5148 ) * prototype errkit * complete errkit implementation * add cause to all timeouts * fix request timeout annotation @timeout * increase responseHeaderTimeout to 8 for stability * rawhttp error related improvements * feat: add port status caching * add port status caching to http * migrate to new utils/errkit * remote dialinterface + error cause * debug dir support using .gitignore debug-* * make nuclei easy to debug * debug dir update .gitignore * temp change (to revert) * Revert "temp change (to revert)" This reverts commit d3131f777713b9f80e2275142e80f36340a76d36. * use available context instead of new one * bump fastdialer * fix hosterrorscache + misc improvements * add 'address' field in error log * fix js vague errors + pgwrap driver * fix max host error + misc updates * update tests as per changes * fix request annotation context * remove closed dialer reference * fix sdk panic issue * bump retryablehttp-go,utils,fastdialer --------- Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>	2024-05-25 00:29:04 +05:30
Mzack9999	4fc16e36e1	Merge branch 'dev' into feat-4808-planner	2024-05-23 09:08:53 +02:00
Ice3man	4170e1cbb8	more goroutine leak fixes to nuclei (#5188 ) * more goroutine leak fixes to nuclei * run only dns templates for test * updated httpx to dev * dep update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2024-05-20 00:48:40 +05:30
Mzack9999	47ca8fe842	fix non gc-able dialer closes #5165	2024-05-15 21:25:40 +02:00
Mzack9999	9adfc531c7	uniforming sizes with utils	2024-05-15 15:34:59 +02:00
Ice3man	9784ca860a	feat: added fuzzing output enhancements (#5126 ) * feat: added fuzzing output enhancements * changes as requested * misc	2024-05-03 18:46:28 +05:30
Tarun Koyalwar	3e54ca54b0	feat: fix utils and add goroutine leak unit tests (#5112 ) * feat: fixed leak * add go leak unit test in sdk * added goleak unit tests * bugfix: add random user agents to fuzzing requests * misc * misc * fix lint + use utils pr + misc * fix ratelimit memleak in sdk * close protocolstate shared resources in nuclei sdk/lib * add missing close references * ignore read/write loop of intransit connections * close unnecessary idle conns * add ignore method * using fixed utils * dep update --------- Co-authored-by: Ice3man <nizamulrana@gmail.com> Co-authored-by: mzack <marco.rivoli.nvh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2024-05-01 00:28:11 +05:30
Dogan Can Bakir	c8cda14e41	remove default val in CLI and increase `MaxBodyRead` to 10mb (#5100 ) Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-04-25 16:28:37 +05:30
Ice3man	0b82e8b7aa	feat: added support for context cancellation to engine (#5096 ) * feat: added support for context cancellation to engine * misc * feat: added contexts everywhere * misc * misc * use granular http timeouts and increase http timeout to 30s using multiplier * track response header timeout in mhe * update responseHeaderTimeout to 5sec * skip failing windows test --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io>	2024-04-25 15:37:56 +05:30
Tarun Koyalwar	3dfcec0a36	missing mhe check in http payloads (#5099 ) * go mod tidy * fix spm missing hosterrorcheck + improvements --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2024-04-24 19:34:13 +05:30
Dogan Can Bakir	465894df15	disable thread count warning upon validate (#5078 )	2024-04-23 16:04:52 +05:30
Ramana Reddy	61e9be530f	Fix: `skip-variables-check` option in self-contained templates (#5053 ) * fix: skip-variables-check option in self-contained templates * Update build workflow envs	2024-04-23 16:04:32 +05:30
mzack	7e363984b2	Merge branch 'dev' into feat-3072-init-adaptive-speed	2024-04-09 15:19:51 +02:00
Tarun Koyalwar	f159e8fa66	fix dynamic extractor + payloads edgecase by sending req sequentially (#5016 ) * explicitly handle edgecase #4993 instead of hot fix * fix typo	2024-04-08 22:21:26 +05:30
Ice3man	a844e6f7ab	feat: fixed bug due to parallel auto setting in http (#4992 ) * feat: fixed bug due to parallel auto setting in http * increased threshold --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>	2024-04-08 16:04:57 +05:30
Ramana Reddy	8c27ca2591	fix(schema): generation of missing JSON schema definitions (#4995 ) * fix(schema): generation of missing JSON schema definitions * make headers and data to accept multi-type inputs * misc update	2024-04-08 03:29:42 +05:30
mzack	af7450737a	making payload concurrency dynamic via direct int change	2024-04-03 23:06:08 +02:00
Mzack9999	a140a4194e	boh - placing resize in wrapped method	2024-04-03 19:40:09 +02:00
Mzack9999	a8d1393e96	init- using resizable components	2024-04-03 17:50:57 +02:00

1 2

88 Commits