search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.96k stars 2.56k forks source link

time-based-sqli false postive #10129

Closed zecopro closed 2 months ago

zecopro commented 2 months ago

Nuclei Version:

v3.2.9

Template file:

/root/nuclei-templates/dast/vulnerabilities/sqli/time-based-sqli.yaml

Command to reproduce:

nuclei -u http://localhostt:80/exchange/football/event?id=272 -t /root/nuclei-templates/dast/vulnerabilities/sqli/time-based-sqli.yaml -debug -stats -fuzz

Two seconds and detect sqli it should be 7 seconds at less 

[0:00:02] | Templates: 1 | Hosts: 1 | RPS: 4 | Matched: 1 | Errors: 0 | Requests: 7/7 (100%)

image image

image

mastercho commented 2 months ago

False positive are expected, there others also report it, its known by PD since the beginning

https://github.com/projectdiscovery/nuclei-templates/pull/9695

fisehara commented 2 months ago

I don't understand why this default false-positive template would be executed. In our automated vulnerability check we now have ~40 critical findings, that we all have to address and argue in the next audit.

./nuclei -t templates/nuclei/dast/vulnerabilities/sqli/time-based-sqli.yaml -u google.com -debug -verbose -dast

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.9

                projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.9 (latest)
[INF] Current nuclei-templates version: v9.9.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 164
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [time-based-sqli] Dumped HTTP request for https://google.com

GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[VER] [time-based-sqli] Sent HTTP request to https://google.com
[DBG] [time-based-sqli] Dumped HTTP response https://google.com

HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 220
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: public, max-age=2592000
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-22vaOrKsBe9YqfJxWrvr4Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Content-Type: text/html; charset=UTF-8
Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
Date: Wed, 26 Jun 2024 14:30:24 GMT
Expires: Fri, 26 Jul 2024 14:30:24 GMT
Location: https://www.google.com/
Permissions-Policy: unload=()
Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]}
Server: gws
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
[time-based-sqli:dsl-1] [http] [critical] https://google.com
[VER] [time-based-sqli] fuzz: rule not applicable : rule not applicable : no component matched on this rule
[VER] [time-based-sqli] fuzz: rule not applicable : rule not applicable : no rule was applicable for this request: google.com
princechaddha commented 2 months ago

Hi @zecopro, Thank you for taking the time to create this issue and for contributing to this project 🍻

I have added dast/vulnerabilities/sqli/time-based-sqli.yaml to .nuclei-ignore file as it was producing false positive results, therefore, it will no longer run in the default dast scan. We will update this once we have SQL injection analyzer support added to Nuclei.

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again

mastercho commented 2 months ago

@princechaddha what you talking about? your CEO said discord is considered offline place and we should not discuss anything about templates and contributions there... Also i was right about the templates, you just discriminate us ...