Closed Nishantbhagat57 closed 2 months ago
Hi @Nishantbhagat57, Thank you for taking the time to create this issue and for contributing to this project 🍻
You can achieve what you described in the issue by using flow. Please confirm if this is what you intended to do with the loop.
id: test-template
info:
name: Test Template
author: princechaddha
severity: info
tags: tech
flow: |
for (let i = 0; i < 10; i++) {
http(1)
}
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Example</title>"
- type: status
status:
- 200
@Nishantbhagat57 there is -scan-all-ips
option that will scan through multiple IPs/load balancers available in the DNS response of the host.
-sa, -scan-all-ips scan all the IP's associated with dns record
Hi @Nishantbhagat57, Thank you for taking the time to create this issue and for contributing to this project 🍻
You can achieve what you described in the issue by using flow. Please confirm if this is what you intended to do with the loop.
Example:
id: test-template info: name: Test Template author: princechaddha severity: info tags: tech flow: | for (let i = 0; i < 10; i++) { http(1) } http: - method: GET path: - "{{BaseURL}}" matchers-condition: and matchers: - type: word part: body words: - "<title>Example</title>" - type: status status: - 200
@princechaddha, thank you for your response. I appreciate your suggestion to use the flow feature to achieve the desired behavior.
However, I don't think it's an optimal solution for this use case. The flow approach requires rewriting nuclei templates or adding custom logic when creating templates, which might not be feasible for all users. I think there should be a new flag/argument to handle these load-balancer cases. I think the first easy step should be to indeed provide -loop
flag (or a similarly named flag) that accepts the number of times each template/templates should be scanned.
Additionally, adding load-balancer detection and intelligent looping would further enhance the feature's effectiveness.
Next steps should be:
--loop_when_loadbalancer
flag: Introduce a new flag that, when used with -loop
, would loop template scan only when a load balancer is detected. For example, -loop 5 --loop_when_loadbalancer
would loop the template scan 5 times only when a load balancer is detected for the current target.@Nishantbhagat57 there is
-scan-all-ips
option that will scan through multiple IPs/load balancers available in the DNS response of the host.-sa, -scan-all-ips scan all the IP's associated with dns record
Hi @ehsandeep, Thanks for pointing out the -scan-all-ips
option! However, I'm not sure if it would automatically detect and scan load balancers. Can you provide more information on how this option handles load balancers? Would it scan the load balancer itself, or just the IP addresses associated with dns record?
Also the most of the time the IP would be of WAF like CloudFront, Akamai or Cloudflare. Also the idea is mainly that at a certain time the application may be under different load-balancer. Next time it can be under different load-balancer that may be vulnerable. Once I found a Price-Manipulation bug in which I paid Rs.1 for the product that was of Rs.5,000. I reported the bug but it was no-longer reproducible. When I asked the team if they fixed the issue? They replied that they are still evaluating the report, and added: "In some instances this can be a case of expired session or load balanced traffic is under different WAF rules. We will do what we can to investigate that the bug could be intermittent. Please standby for updated status into triaged state."
ping @ehsandeep @princechaddha
@Nishantbhagat57 thanks for sharing idea, but I think it would be better to re-scan like you are doing it right now i.e re-run the scan instead of re-scanning template X times in same nuclei execution as nuclei engine is not designed to execute in this way and would required code changes in core engine.
Moving this from issues to discussion section for future discussion and reference.
Hey ProjectDiscovery Team,
I would like to request a feature to further improve nuclei template scanning and enhance the accuracy of finding vulnerabilities.
I suggest adding a
-loop
flag (or a similarly named flag) that accepts the number of times a template should be scanned. For example, if a user adds the-loop 5
argument, then nuclei should scan the same template 5 times on the current scan target.Additionally, it would be great if nuclei could intelligently identify a load balancer. In such cases, a
-loop 5 --loop_when_loadbalancer
flag would loop the template scan only if a load balancer is detected.Theory
A load balancer is a proxy (in front) that works to distribute the workload across multiple servers. Usually, those servers have similar structures, so the applications inside them also need to be similar.
But, the issue lies in:
By doing 10x loops on nuclei the issue is exploitable.
Why?
So, multiple requests are needed for our session to be directed to the vulnerable server.
Reference
https://twitter.com/xchopath/status/1805331064958894177?t=WWddaLg9BzXCqVYvq1YmJQ&s=19
Credits
https://x.com/xchopath https://github.com/xchopath
cc: @ehsandeep @princechaddha