[BUG] DSL Responses Do Not Work Properly with Code Protocol

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.

https://docs.projectdiscovery.io/tools/nuclei

MIT License

20.83k stars 2.52k forks source link

[BUG] DSL Responses Do Not Work Properly with Code Protocol #5748

Open hipotermia opened 1 month ago

hipotermia commented 1 month ago

Is there an existing issue for this?

[x] I have searched the existing issues.

Current Behavior

When using the code protocol, DSL responses are not functioning as expected.

status_code_1 == 200 evaluates to true.
status_code_2 == 200 evaluates to true.

However, when comparing the two status codes:

status_code_1 == status_code_2 does not match.

And by removing the code protocol, works.

Expected Behavior

status_code_1 == status_code_2 should match if are equal, regardless if code is being used.

Steps To Reproduce

The following template should hit, but it doesn't.

id: test

info:
  name: test
  author: hipotermia
  severity: high

code:
  - engine:
      - py
      - python3
    source: |
      print('/')

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == status_code_2"

Relevant log output

No response

Environment

OS: Lunux
Nuclei: 3.3.5
Go: 1.22.4

Anything else?

No response

dwisiswant0 commented 1 month ago

I'll leave it here for notes:

issue-5748-b:

code:
  - engine:
      - sh
      - bash
    source: id

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: dsl
        dsl:
          - 'concat("status_code_1: ", status_code_1)'
          - 'concat("status_code_2: ", status_code_2)'

issue-5748-c:

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: dsl
        dsl:
          - 'concat("status_code_1: ", status_code_1)'
          - 'concat("status_code_2: ", status_code_2)'

Output:

[issue-5748-b] [http] [info] http://scanme.sh ["status_code_1: 200"]
[issue-5748-b] [http] [info] http://scanme.sh ["status_code_2: 200"]
[issue-5748-c] [http] [info] http://scanme.sh ["status_code_1: 200"]
[issue-5748-c] [http] [info] http://scanme.sh ["status_code_1: 200","status_code_2: 200"]

dwisiswant0 commented 1 month ago

I'm going to be off for a few days, so I’m dropping this here as a note (for myself as well). I suspect that the underlying issue might be found here:

https://github.com/projectdiscovery/nuclei/blob/ff23949bb0f61ba9458faf3adc740233d7de3b8c/pkg/tmplexec/multiproto/multi.go#L119-L120

This was introduced in https://github.com/projectdiscovery/nuclei/pull/5426.