[BUG] Nuclei crashes when running in DAST mode with specific input

h41th commented 1 month ago

Is there an existing issue for this?

[x] I have searched the existing issues.

Current Behavior

Running nuclei in dast mode with a subdomain as input that does not contain a trailing forward slash causes it to crash.

Expected Behavior

Nuclei runs without crashing.

Steps To Reproduce

Run nuclei -u http://testphp.vulnweb.com -dast

Relevant log output

nuclei -u http://testphp.vulnweb.com -dast

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.1

                projectdiscovery.io

[INF] Current nuclei version: v3.3.1 (latest)
[INF] Current nuclei-templates version: v9.9.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 56
[INF] Templates loaded for current scan: 24
[INF] Executing 24 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[WARN] unknown type map[string]interface {} for value map[]
panic: interface conversion: interface {} is nil, not string

goroutine 9129 [running]:
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Rebuild(0xc021df49c0)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/component/path.go:98 +0x3d6
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponentOnValues.func1({0x0, 0x0}, {0x26753a0?, 0xc020aace70?})
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/parts.go:68 +0x199
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Iterate.func1({0x0?, 0x30?}, {0x26753a0?, 0xc020aace70?})
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/component/path.go:54 +0x33
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/dataformat.(*KV).Iterate(0xc020fef4c0?, 0xc00d1ab0c8)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/dataformat/kv.go:75 +0xd0
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Iterate(0x10?, 0x28143e0?)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/component/path.go:53 +0x51
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponentOnValues(0xc0101e9cc0, 0xc020fef440, {0xc012e40c80, 0xe}, {0x3603440?, 0xc021df49c0})
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/parts.go:53 +0x102
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponent(0x0?, 0x0?, {{0x0, 0x0}, {0xc012e40c80, 0xe}}, {0x3603440?, 0xc021e0e250?})
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/parts.go:45 +0xb9
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartRule(...)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/parts.go:18
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executeRuleValues(0xc0101e9cc0, 0xc020fef440, {0x3603440, 0xc021e0e250})
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/execute.go:219 +0x28f
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).Execute(0xc0101e9cc0, 0xc020fef440)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/fuzz/execute.go:153 +0xfd4
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).executeAllFuzzingRules(0xc010c694a0, 0xc0206db620, 0xc0206db0b0, 0xa?, 0xc0206dafc0)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/protocols/http/request_fuzz.go:124 +0x2bc
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).executeFuzzingRule(0xc010c694a0, 0xc0206dae70, 0xc012e40ae8?, 0x5?)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/protocols/http/request_fuzz.go:97 +0x4e9
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).ExecuteWithResults(0xc010c694a0, 0xc0206dae70, 0xc0206db0b0, 0xc0206daf90, 0xc0206dafc0)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/protocols/http/request.go:465 +0x1aa
github.com/projectdiscovery/nuclei/v3/pkg/tmplexec/generic.(*Generic).ExecuteWithResults(0xc01284eb70, 0xc01d61e460)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/tmplexec/generic/exec.go:61 +0x303
github.com/projectdiscovery/nuclei/v3/pkg/tmplexec.(*TemplateExecuter).Execute(0xc003702dc0, 0xc01d61e460)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/tmplexec/exec.go:199 +0x43c
github.com/projectdiscovery/nuclei/v3/pkg/core.(*Engine).executeTemplateWithTargets.func2.1(0x239bda7?, 0x0?, 0xc020fef040)
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/core/executors.go:139 +0x203
created by github.com/projectdiscovery/nuclei/v3/pkg/core.(*Engine).executeTemplateWithTargets.func2 in goroutine 9188
        /home/h41th/go/pkg/mod/github.com/projectdiscovery/nuclei/v3@v3.3.1/pkg/core/executors.go:115 +0x511

Environment

- OS: Debian on WSL2
- Nuclei: v3.3.1
- Go: go.1.21.3
- PDTM: 0.9

Anything else?

No response

3th1cyuk1 commented 1 month ago

I'm also facing the same issue in nuclei

[WARN] unknown type map[string]interface {} for value map[]
panic: interface conversion: interface {} is nil, not string

goroutine 1292549 [running]:
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Rebuild(0xc010bdc280)
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component/path.go:98 +0x3d6
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponentOnValues.func1({0x0, 0x0}, {0x2667ce0?, 0xc00fe4c7b0?})
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/parts.go:68 +0x199
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Iterate.func1({0x0?, 0x41003e?}, {0x2667ce0?, 0xc00fe4c7b0?})
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component/path.go:54 +0x33
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/dataformat.(*KV).Iterate(0xc00d602c80?, 0xc003b6d0c8)
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/dataformat/kv.go:75 +0xd0
github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component.(*Path).Iterate(0x10?, 0x10000?)
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component/path.go:53 +0x51
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponentOnValues(0xc004c177c0, 0xc011872f00, {0xc00e88bf90, 0xe}, {0x35ea940?, 0xc010bdc280})
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/parts.go:53 +0x102
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartComponent(0x0?, 0x0?, {{0x0, 0x0}, {0xc00e88bf90, 0xe}}, {0x35ea940?, 0xc010b7a8b0?})
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/parts.go:45 +0xb9
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executePartRule(...)
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/parts.go:18
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).executeRuleValues(0xc004c177c0, 0xc011872f00, {0x35ea940, 0xc010b7a8b0})
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/execute.go:219 +0x28f
github.com/projectdiscovery/nuclei/v3/pkg/fuzz.(*Rule).Execute(0xc004c177c0, 0xc011872f00)
        github.com/projectdiscovery/nuclei/v3/pkg/fuzz/execute.go:153 +0xfd4
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).executeAllFuzzingRules(0xc004c18780, 0xc0042c46c0, 0xc0145b5da0, 0xa?, 0xc0145b5a70)
        github.com/projectdiscovery/nuclei/v3/pkg/protocols/http/request_fuzz.go:124 +0x2bc
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).executeFuzzingRule(0xc004c18780, 0xc0145b58c0, 0xc00e88bcb9?, 0x5?)
        github.com/projectdiscovery/nuclei/v3/pkg/protocols/http/request_fuzz.go:97 +0x4e9
github.com/projectdiscovery/nuclei/v3/pkg/protocols/http.(*Request).ExecuteWithResults(0xc004c18780, 0xc0145b58c0, 0xc0145b5da0, 0xc0145b59e0, 0xc0145b5a70)
        github.com/projectdiscovery/nuclei/v3/pkg/protocols/http/request.go:465 +0x1aa
github.com/projectdiscovery/nuclei/v3/pkg/tmplexec/generic.(*Generic).ExecuteWithResults(0xc00bda6180, 0xc0038fdcc0)
        github.com/projectdiscovery/nuclei/v3/pkg/tmplexec/generic/exec.go:61 +0x303
github.com/projectdiscovery/nuclei/v3/pkg/tmplexec.(*TemplateExecuter).Execute(0xc009181080, 0xc0038fdcc0)
        github.com/projectdiscovery/nuclei/v3/pkg/tmplexec/exec.go:199 +0x43c
github.com/projectdiscovery/nuclei/v3/pkg/core.(*Engine).executeTemplateWithTargets.func2.1(0x7bb785?, 0x0?, 0xc019454900)
        github.com/projectdiscovery/nuclei/v3/pkg/core/executors.go:139 +0x203
created by github.com/projectdiscovery/nuclei/v3/pkg/core.(*Engine).executeTemplateWithTargets.func2 in goroutine 14414
        github.com/projectdiscovery/nuclei/v3/pkg/core/executors.go:115 +0x511

Stuuxx commented 1 month ago

h41th commented 1 month ago

built nuclei of the fix branch but still same issue:

dwisiswant0 commented 1 month ago

built nuclei of the fix branch but still same issue:

You should run with go run cmd/nuclei/main.go, not nuclei unless you already built with make build — and compiled binary is in cwd, ./nuclei.

h41th commented 1 month ago

ah yes my bad x)

Nuclei no longer crashes, there's some warning messages though :

h41th commented 1 month ago

Should I go ahead and close this as solved ?

dwisiswant0 commented 1 month ago

Nuclei no longer crashes, there's some warning messages though :

Yep, I’m aware of this.

Should I go ahead and close this as solved ?

It’ll automatically close if the linked PR is merged.

h41th commented 1 month ago

Cool, thanks for the quick fix !

dwisiswant0 commented 1 month ago

Nuclei no longer crashes, there's some warning messages though

Please pull the fix branch to the latest commit and then try again. There shouldn't be any warnings now. This issue seems to be because the relative path is empty (https://github.com/projectdiscovery/nuclei/issues/5340#issuecomment-2307358095), and Nuclei is not changing the request path on the fly. We want to ensure that this behavior aligns with how a relative path is defined in RFC 3986, and we don't want to alter the absolute path (by resolving a URI reference to an absolute URI) that's being fed to the engine and loaded dynamically during runtime. But perhaps our team will decide on what the specific treatment for this will be.

h41th commented 1 month ago

All good now 👍

Thanks again for the fix and the explanation !

projectdiscovery / nuclei