mirror of https://github.com/daffainfo/nuclei.git
64 lines
1.7 KiB
YAML
64 lines
1.7 KiB
YAML
id: raw-unsafe-path
|
|
|
|
info:
|
|
name: Test RAW Unsafe Paths
|
|
author: pd-team
|
|
severity: info
|
|
description: >
|
|
- https://github.com/projectdiscovery/nuclei/pull/3211
|
|
- https://github.com/projectdiscovery/nuclei/pull/3127
|
|
reference:
|
|
# adding expected results here for context and debugging
|
|
- "1337"
|
|
- "1337?with=param"
|
|
- "/some%0A/%0D"
|
|
- "/%20test%0a"
|
|
- "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
|
|
- "/test/..;/..;/"
|
|
- "/xyz/%u2s/%invalid"
|
|
- "//CFIDE/wizards/common/utils.cfc"
|
|
|
|
|
|
# Test all unsafe URL Handling Edgecases
|
|
http:
|
|
- raw:
|
|
# relative path without leading slash
|
|
- |+
|
|
GET 1337 HTTP/1.1
|
|
Host: scanme.sh
|
|
# same but with param
|
|
- |+
|
|
GET 1337?with=param HTTP/1.1
|
|
Host: scanme.sh
|
|
# url encoded characters in path
|
|
- |+
|
|
GET /some%0A/%0D HTTP/1.1
|
|
Host: scanme.sh
|
|
# test unsupported chars in path
|
|
- |+
|
|
GET /%20test%0a HTTP/1.1
|
|
Host: scanme.sh
|
|
# test payload integrity params
|
|
- |+
|
|
GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
|
|
Host: scanme.sh
|
|
# test for missing trailing slash
|
|
- |+
|
|
GET /test/..;/..;/ HTTP/1.1
|
|
Host: scanme.sh
|
|
Origin: {{BaseURL}}
|
|
# test relative path with invalid/corrupted characters
|
|
- |+
|
|
GET /xyz/%u2s/%invalid HTTP/1.1
|
|
Host: scanme.sh
|
|
# test relative path start with // (should not be removed)
|
|
- |+
|
|
GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
|
|
Host: scanme.sh
|
|
|
|
unsafe: true
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|