2023-02-20 16:56:04 +00:00
|
|
|
id: http-paths
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Test Http Path Edgecases
|
|
|
|
author: pd-team
|
|
|
|
severity: info
|
|
|
|
description: >
|
|
|
|
- https://github.com/projectdiscovery/nuclei/pull/3211
|
|
|
|
- https://github.com/projectdiscovery/nuclei/pull/3127
|
|
|
|
reference:
|
|
|
|
# adding expected results here for context and debugging
|
|
|
|
- "/1337?with=param"
|
|
|
|
- "/some%0A/%0D"
|
|
|
|
- "/%73%6f%6d%65%0A/%0D"
|
|
|
|
- "/%00test%20"
|
|
|
|
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
|
|
|
|
- "/test/..;/..;/"
|
|
|
|
- "/xyz/%25u2s/%25invalid"
|
2023-08-03 19:26:32 +00:00
|
|
|
- "//CFIDE/wizards/common/utils.cfc"
|
2023-02-20 16:56:04 +00:00
|
|
|
# duplicating here because same results are expected even if http request is written in different format
|
|
|
|
- "/1337?with=param"
|
|
|
|
- "/some%0A/%0D"
|
|
|
|
- "/%73%6f%6d%65%0A/%0D"
|
|
|
|
- "/%00test%20"
|
|
|
|
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
|
|
|
|
- "/test/..;/..;/"
|
|
|
|
- "/xyz/%25u2s/%25invalid"
|
2023-08-03 19:26:32 +00:00
|
|
|
- "//CFIDE/wizards/common/utils.cfc"
|
2023-02-20 16:56:04 +00:00
|
|
|
|
|
|
|
# Test all templates with FullURLs
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
# relative path without leading slash with param
|
|
|
|
# If relative path does not have `/` prefix it is autocorrected
|
|
|
|
- |+
|
|
|
|
GET 1337?with=param HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
# url encoded characters in path
|
|
|
|
- |+
|
|
|
|
GET /some%0A/%0D HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
# percent encoded characters in path
|
|
|
|
# In URL encoding only key characters are encoded
|
|
|
|
# while in percent encoding all characters are url encoded (similar to burp decoder)
|
|
|
|
- |+
|
|
|
|
GET /%73%6f%6d%65%0A/%0D HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
# test null and % chars in path
|
|
|
|
- |+
|
|
|
|
GET /%00test%20 HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
# test payload integrity in parameter
|
|
|
|
- |+
|
|
|
|
GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
# test for missing trailing slash
|
|
|
|
- |+
|
|
|
|
GET /test/..;/..;/ HTTP/1.1
|
|
|
|
Host: scanme.sh
|
|
|
|
Origin: {{BaseURL}}
|
|
|
|
# test relative path with invalid/corrupted characters
|
|
|
|
# In such case instead of error or panic nuclei escaped unsupported character (i.e /xyz/%25u2s/%25invalid)
|
|
|
|
# if template requires this condition to not escape unsupported characters. It can only be done in unsafe raw requests
|
|
|
|
- |+
|
|
|
|
GET /xyz/%u2s/%invalid HTTP/1.1
|
|
|
|
Host: scanme.sh
|
2023-08-03 19:26:32 +00:00
|
|
|
# test relative path start with //
|
|
|
|
- |+
|
|
|
|
GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
|
|
|
|
Host: scanme.sh
|
2023-02-20 16:56:04 +00:00
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
# Same testcases as mentioned above but in path based request format
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}/1337?with=param"
|
|
|
|
- "{{BaseURL}}/some%0A/%0D"
|
|
|
|
- "{{BaseURL}}/%73%6f%6d%65%0A/%0D"
|
|
|
|
- "{{BaseURL}}/%00test%20"
|
|
|
|
- "{{BaseURL}}/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
|
|
|
|
- "{{BaseURL}}/test/..;/..;/"
|
|
|
|
- "{{BaseURL}}/xyz/%u2s/%invalid"
|
2023-08-03 19:26:32 +00:00
|
|
|
- "{{BaseURL}}//CFIDE/wizards/common/utils.cfc"
|
2023-02-20 16:56:04 +00:00
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|