Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nuclei removed url fragment (#) In their HTTP request #8909

Open
daffainfo opened this issue Jan 5, 2024 · 0 comments
Open

Nuclei removed url fragment (#) In their HTTP request #8909

daffainfo opened this issue Jan 5, 2024 · 0 comments
Assignees
@DhiyaneshGeek
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@daffainfo
Copy link
Contributor

Issue

projectdiscovery/nuclei#4571

Description

I found some templates that use URL fragments (#) in the path section. Here is a list of these templates:

How to solve?

@tarunKoyalwar has already shared his solver, which uses the Javascript protocol to send the HTTP request (you can check the solver in the discussions I shared above). However, I have also tested it and have an alternative method using 'unsafe: true.' Here is the example template:

id: testing-url-fragments

info:
  name: Testing URL Fragment (#)
  author: daffainfo
  severity: info
  metadata:
    max-request: 1
  tags: test

http:
  - raw:
      - |+
        GET /testing#daffainfo HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}

    unsafe: true
    matchers:
      - type: status
        status:
          - 200

Output:

[INF] Targets loaded for current scan: 1
[INF] [testing-url-fragments] Dumped HTTP request for https://daffa.info/testing#daffainfo

GET /testing#daffainfo HTTP/1.1
Host: daffa.info
Origin: https://daffa.info

[DBG] [testing-url-fragments] Dumped HTTP response https://daffa.info/testing#daffainfo

HTTP/1.1 404 Not Found
Content-Length: 162
Connection: keep-alive
Content-Type: text/html
Date: Fri, 05 Jan 2024 06:16:40 GMT
Server: nginx/1.18.0 (Ubuntu)

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
[INF] No results found. Better luck next time!

We need to recode some templates that use an url fragment
@daffainfo daffainfo added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DhiyaneshGeek @daffainfo