Fuzzing additions & enhancements

[Ice3man543]

Proposed changes

• Fixed part: request not working to allow fuzzing all applicable request parts
• Added -dfp flag to display fuzz points

> ./nuclei -dfp -l proxify_logs.yaml -im yaml -t template.yaml  

....
[INF] Fuzz points for sqli-error-based
{
  "cookie": {
    "lang": "es"
  },
  "header": {
    "User-Agent": "curl/8.1.2"
  },
  "path": {
    "value": "/blog/posts"
  }
}
[INF] Fuzz points for sqli-error-based
{
  "body": {
    "age": "20",
    "id": "75",
    "name": "icy",
    "role": "dev"
  },
  "header": {
    "User-Agent": "curl/8.1.2"
  },
  "path": {
    "value": "/user"
  }
}
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/user [body:role] [POST]
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/blog/posts [cookie:lang] [GET]

• Added support for fuzzing nested URL path segments

[INF] [sqli-error-based] Fuzz points for http://127.0.0.1:8082/user/75/profile [GET]
{
  "path": {
    "1": "/user",
    "2": "/user/75",
    "3": "/user/75/profile"
  }
}
[VER] [sqli-error-based] Sent HTTP request to http://127.0.0.1:8082/user'/75/profile
[VER] [sqli-error-based] Sent HTTP request to http://127.0.0.1:8082/user/75'/profile
[sqli-error-based] [http] [critical] http://127.0.0.1:8082/user/75%27/profile [path:/user/75] [GET]

• Added parts to fuzzing templates to allow specifying multiple target parts

    fuzzing:
      - parts:
          - path
          - header
          - cookie
        type: postfix
        mode: single
        fuzz:
          - "{{injection}}"

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

[ehsandeep]

• Misc format update:

[INF] [sqli-error-based] Fuzz points for http://127.0.0.1:8082/user [body:role] [POST]

• allow path to break values by separator and fuzz each separately
• allow part to be customizable with allow and deny and multiple values
• keep track of non matches and allow ignoring values which don't yield issues (example. path parameters after above change etc)

[Ice3man543]

• Added skipping of parameters after certain frequency of no issues found in nuclei fuzzing

❯ ./nuclei -l list.txt -t template.yaml -dast -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.5

                projectdiscovery.io

[INF] Supplied input was automatically deduplicated (1 removed).
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.5 (outdated)
[INF] Current nuclei-templates version: v9.8.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 142
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 12
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/11
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/9'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/4'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/8
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/10
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/5'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/3
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/2
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/7'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/12
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/1'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/6'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/8'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/10'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/5
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/2'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/3'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile/11'
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/4
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/7
[VER] [sqli-error-based] Sent HTTP request to http://localhost:8082/profile'/9
[VER] [sqli-error-based] Skipped /profile from parameter for http://localhost:8082/profile"/9 as found uninteresting 10 times

With input

http://localhost:8082/profile/1
http://localhost:8082/profile/2
http://localhost:8082/profile/3
http://localhost:8082/profile/4
http://localhost:8082/profile/5
http://localhost:8082/profile/6
http://localhost:8082/profile/7
http://localhost:8082/profile/8
http://localhost:8082/profile/9
http://localhost:8082/profile/10
http://localhost:8082/profile/11
http://localhost:8082/profile/12
http://localhost:8082/profile/12

[Ice3man543]

• Added configurable aggression level to fuzzing payloads with fuzz-aggression flag

linux_path:
  low:
    - /etc/passwd
  medium:
    - ../etc/passwd
    - ../../etc/passwd
  high:
    - ../../../etc/passwd
    - ../../../../etc/passwd
    - ../../../../../etc/passwd`

Three agression are supported -

• low
• medium
• high
  low is the default level which is fairly quick. If medium is specified, all templates from
  low and medium are executed. Similarly with high, including all templates
  from low, medium, high.