nuclei 3.1.10 validates invalid template

geeknik commented 6 months ago

Nuclei version:

3.1.10

Current Behavior:

nuclei validates an invalid template.

Expected Behavior:

It should see the error when using -validate.

Steps To Reproduce:

id: test

info:
  name: test
  author: geeknik

http:
  - raw:
      - |
        GET /test HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /test2 HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2
    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "test.*"
          -"\<script\>window\.park"

nuclei -validate test.yaml -v -debug

nuclei -t test.yaml -u http://example.com/ -debug -v

yamllint test.yaml

Anything else:

hi! 🤙🏻

rxerium commented 6 months ago

I can confirm I am experiencing the same issue with several phishing templates using the following command: nuclei -t <template> -u host.com

tarunKoyalwar commented 6 months ago

i am not able to reproduce this ,

 ./nuclei -t x.yaml -validate -debug                                                                                                 1 ↵

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.0-dev

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[ERR] Error occurred loading template /Users/tarun/Codebase/nuclei/x.yaml: Could not load template /Users/tarun/Codebase/nuclei/x.yaml: yaml: line 25: could not find expected ':'
[FTL] Could not validate templates: errors occurred during template validation

$ nuclei -t x.yaml -validate                                                                                                       

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.10

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[ERR] Error occurred loading template /Users/tarun/Codebase/nuclei/x.yaml: Could not load template /Users/tarun/Codebase/nuclei/x.yaml: yaml: line 25: could not find expected ':'
[FTL] Could not validate templates: errors occurred during template validation

cc: @geeknik

and issue seems to be related to incorrect yaml and not template logic

$ nuclei -t ~/nuclei-templates/http/osint/phishing -validate

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.10

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] All templates validated successfully

rxerium commented 6 months ago

See below, very happy to help further troubleshoot and assist where I can :)

geeknik commented 6 months ago

and issue seems to be related to incorrect yaml and not template logic

@tarunKoyalwar I'm pretty sure there is something going on during the validation. Here's an interesting AI generated template example that looks pretty neat.

id: cookie-leak-on-redirect

info:
  name: Cookie Leak on Redirect
  author: geeknik
  severity: high
  description: Checks for a vulnerability where cookie data is sent to a redirection host, potentially leaking authentication information.

requests:
  - method: GET
    path:
      - "/{{random_string(5)}}.php"
    headers:
      Cookie: "aaa={{random_num(4)}}"
    matchers:
      - type: word
        words:
          - "Location: http://"
        condition: or
        location: response.headers.Location

  - method: GET
    path:
      - "/"
    matcher-if:
      condition: and
      checks:
        - type: word
          word: "Location:"
          location: previous.response.headers.Location
        - type: word
          word: "{{previous.response.headers.Location}}"
          location: request.headers.Host
    matchers:
      - type: word
        words:
          - "Cookie: aaa="
        condition: or
        location: response.headers.Cookie

Look pretty conformant. Some of it even makes sense. Let's validate it just to be sure.. ~$ nuclei -t /tmp/test.yaml -validate -debug -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] All templates validated successfully

Now let's hack the planet!!!

[VER] Started metrics server at localhost:9092
[WRN] Could not load template /tmp/test.yaml: yaml: unmarshal errors:
  line 20: field location not found in type matchers.Matcher
  line 25: field matcher-if not found in type http.Request
  line 39: field location not found in type matchers.Matcher
[INF] Current nuclei version: v3.2.2 (latest)
[INF] Current nuclei-templates version: v9.8.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] Targets loaded for current scan: 1
[INF] No results found. Better luck next time!
[FTL] Could not run nuclei: no templates provided for scan

Wait, what?

~$ nuclei -hc

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.2

        projectdiscovery.io

Version: v3.2.2
Operating System: linux
Architecture: amd64
Go Version: go1.21.8
Compiler: gc
File "/root/.config/nuclei/config.yaml" Read => Ok
File "/root/.config/nuclei/config.yaml" Write => Ok
File "/root/.config/nuclei/.nuclei-ignore" Read => Ok
File "/root/.config/nuclei/.nuclei-ignore" Write => Ok
File "/root/.bbot/tools/nuclei-templates/.checksum" Read => Ok
File "/root/.bbot/tools/nuclei-templates/.checksum" Write => Ok
IPv4 connectivity to scanme.sh:80 => Ok
IPv6 connectivity to scanme.sh:80 => Ko (dial tcp6 [2400:6180:0:d0::91:1001]:80: connect: network is unreachable)
IPv4 UDP connectivity to scanme.sh:53 => Ok

projectdiscovery / nuclei