Closed zecopro closed 2 months ago
False positive are expected, there others also report it, its known by PD since the beginning
https://github.com/projectdiscovery/nuclei-templates/pull/9695
I don't understand why this default false-positive template would be executed. In our automated vulnerability check we now have ~40 critical findings, that we all have to address and argue in the next audit.
./nuclei -t templates/nuclei/dast/vulnerabilities/sqli/time-based-sqli.yaml -u google.com -debug -verbose -dast
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.9
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.9 (latest)
[INF] Current nuclei-templates version: v9.9.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 164
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [time-based-sqli] Dumped HTTP request for https://google.com
GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[VER] [time-based-sqli] Sent HTTP request to https://google.com
[DBG] [time-based-sqli] Dumped HTTP response https://google.com
HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 220
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: public, max-age=2592000
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-22vaOrKsBe9YqfJxWrvr4Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Content-Type: text/html; charset=UTF-8
Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
Date: Wed, 26 Jun 2024 14:30:24 GMT
Expires: Fri, 26 Jul 2024 14:30:24 GMT
Location: https://www.google.com/
Permissions-Policy: unload=()
Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
Server: gws
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
[time-based-sqli:dsl-1] [http] [critical] https://google.com
[VER] [time-based-sqli] fuzz: rule not applicable : rule not applicable : no component matched on this rule
[VER] [time-based-sqli] fuzz: rule not applicable : rule not applicable : no rule was applicable for this request: google.com
Hi @zecopro, Thank you for taking the time to create this issue and for contributing to this project 🍻
I have added dast/vulnerabilities/sqli/time-based-sqli.yaml
to .nuclei-ignore
file as it was producing false positive results, therefore, it will no longer run in the default dast scan. We will update this once we have SQL injection analyzer support added to Nuclei.
You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again
@princechaddha what you talking about? your CEO said discord is considered offline place and we should not discuss anything about templates and contributions there... Also i was right about the templates, you just discriminate us ...
Nuclei Version:
v3.2.9
Template file:
/root/nuclei-templates/dast/vulnerabilities/sqli/time-based-sqli.yaml
Command to reproduce:
nuclei -u http://localhostt:80/exchange/football/event?id=272 -t /root/nuclei-templates/dast/vulnerabilities/sqli/time-based-sqli.yaml -debug -stats -fuzz
Two seconds and detect sqli it should be 7 seconds at less