Feature Request: Add `-loop` Flag for Repeated Template Scanning to Enhance Load Balancer Vulnerability Detection

[Nishantbhagat57]

Hey ProjectDiscovery Team,

I would like to request a feature to further improve nuclei template scanning and enhance the accuracy of finding vulnerabilities.

I suggest adding a -loop flag (or a similarly named flag) that accepts the number of times a template should be scanned. For example, if a user adds the -loop 5 argument, then nuclei should scan the same template 5 times on the current scan target.

Additionally, it would be great if nuclei could intelligently identify a load balancer. In such cases, a -loop 5 --loop_when_loadbalancer flag would loop the template scan only if a load balancer is detected.

Theory

A load balancer is a proxy (in front) that works to distribute the workload across multiple servers. Usually, those servers have similar structures, so the applications inside them also need to be similar.

But, the issue lies in:

• Server A - Failed
• Server B - Failed
• Server C - Exploitable!

By doing 10x loops on nuclei the issue is exploitable.

Why?

1. The first request might go to the server with the latest app.
2. The second request might also go there; our session will be directed to the newest version.

So, multiple requests are needed for our session to be directed to the vulnerable server.

Reference

https://twitter.com/xchopath/status/1805331064958894177?t=WWddaLg9BzXCqVYvq1YmJQ&s=19

Credits

https://x.com/xchopath https://github.com/xchopath

cc: @ehsandeep @princechaddha

[princechaddha]

Hi @Nishantbhagat57, Thank you for taking the time to create this issue and for contributing to this project 🍻

You can achieve what you described in the issue by using flow. Please confirm if this is what you intended to do with the loop.

Example:

id: test-template

info:
  name: Test Template
  author: princechaddha
  severity: info
  tags: tech

flow: |
  for (let i = 0; i < 10; i++) {
    http(1)
  }

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - "<title>Example</title>"

      - type: status
        status:
          - 200

[ehsandeep]

@Nishantbhagat57 there is -scan-all-ips option that will scan through multiple IPs/load balancers available in the DNS response of the host.

   -sa, -scan-all-ips  scan all the IP's associated with dns record

[Nishantbhagat57]

Hi @Nishantbhagat57, Thank you for taking the time to create this issue and for contributing to this project 🍻

You can achieve what you described in the issue by using flow. Please confirm if this is what you intended to do with the loop.

Example:

id: test-template

info:
  name: Test Template
  author: princechaddha
  severity: info
  tags: tech

flow: |
  for (let i = 0; i < 10; i++) {
    http(1)
  }

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - "<title>Example</title>"

      - type: status
        status:
          - 200

@princechaddha, thank you for your response. I appreciate your suggestion to use the flow feature to achieve the desired behavior.

However, I don't think it's an optimal solution for this use case. The flow approach requires rewriting nuclei templates or adding custom logic when creating templates, which might not be feasible for all users. I think there should be a new flag/argument to handle these load-balancer cases. I think the first easy step should be to indeed provide -loop flag (or a similarly named flag) that accepts the number of times each template/templates should be scanned.

Additionally, adding load-balancer detection and intelligent looping would further enhance the feature's effectiveness.

Next steps should be:

1. Identification of Load Balancers: Implement a mechanism to accurately detect whether a target is behind a load balancer. This needs a thorough research first.
2. Adding --loop_when_loadbalancer flag: Introduce a new flag that, when used with -loop, would loop template scan only when a load balancer is detected. For example, -loop 5 --loop_when_loadbalancer would loop the template scan 5 times only when a load balancer is detected for the current target.

[Nishantbhagat57]

@Nishantbhagat57 there is -scan-all-ips option that will scan through multiple IPs/load balancers available in the DNS response of the host.

   -sa, -scan-all-ips  scan all the IP's associated with dns record

Hi @ehsandeep, Thanks for pointing out the -scan-all-ips option! However, I'm not sure if it would automatically detect and scan load balancers. Can you provide more information on how this option handles load balancers? Would it scan the load balancer itself, or just the IP addresses associated with dns record?

Also the most of the time the IP would be of WAF like CloudFront, Akamai or Cloudflare. Also the idea is mainly that at a certain time the application may be under different load-balancer. Next time it can be under different load-balancer that may be vulnerable. Once I found a Price-Manipulation bug in which I paid Rs.1 for the product that was of Rs.5,000. I reported the bug but it was no-longer reproducible. When I asked the team if they fixed the issue? They replied that they are still evaluating the report, and added: "In some instances this can be a case of expired session or load balanced traffic is under different WAF rules. We will do what we can to investigate that the bug could be intermittent. Please standby for updated status into triaged state."

[Nishantbhagat57]

ping @ehsandeep @princechaddha

[ehsandeep]

@Nishantbhagat57 thanks for sharing idea, but I think it would be better to re-scan like you are doing it right now i.e re-run the scan instead of re-scanning template X times in same nuclei execution as nuclei engine is not designed to execute in this way and would required code changes in core engine.

Moving this from issues to discussion section for future discussion and reference.