Closed michael1026 closed 4 years ago
Hi @michael1026,
Thanks for the feedback and suggestion, I'm not sure if you already checked the dsl
matcher, but you can pretty much configure everything, for example, if you looking for a path and not sure about the response, you can use the matcher like this:-
matchers:
- type: dsl
dsl:
- "len(body)>100 && status_code==200" # Body length less than 100 and 200 status code
dsl
allows many more options listed here https://github.com/projectdiscovery/nuclei-templates/blob/master/GUIDE.md
I hope this partially solves your case, otherwise, we are open to discuss more on this.
Hi. Thanks for the info. This is indeed a partial solution, but will result in a lot of false positives and a lot of false negatives. For example, paths that resolve to a 301 (i.e. /api to /api/) but other sites might 301 to a 404 page when the path isn't found.
If I'd like to look for paths that exist, but I'm not sure what's going to be there, it's almost impossible to write a template for that case. For example, if I want to write a test interesting path locations such as
/admin
,/api
,/upload
, I don't know what to look for in the response. It could vary from site to site.What I'm proposing is an option in the template file to auto-configure the response matching per host. How this could work is by requesting non-existent paths on each host to know what the response would look like, then use that to determine if your paths are interesting or not. This is much like the -ac option for ffuf.
I'm happy to help with this, but haven't written very much Go. I might take a shot at it this weekend.