CoCalc -- http-paths.yaml

GitHub Repository: projectdiscovery/nuclei
Path: blob/dev/integration_tests/protocols/http/http-paths.yaml
²⁰⁷⁰ views
1
id: http-paths
2

3
info:
4
  name: Test Http Path Edgecases
5
  author: pd-team
6
  severity: info
7
  description: >
8
    - https://github.com/projectdiscovery/nuclei/pull/3211
9
    - https://github.com/projectdiscovery/nuclei/pull/3127
10
  reference:
11
    # adding expected results here for context and debugging
12
    - "/1337?with=param"
13
    - "/some%0A/%0D"
14
    - "/%73%6f%6d%65%0A/%0D"
15
    - "/%00test%20"
16
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
17
    - "/test/..;/..;/"
18
    - "/xyz/%25u2s/%25invalid"
19
    - "//CFIDE/wizards/common/utils.cfc"
20
    # duplicating here because same results are expected even if http request is written in different format
21
    - "/1337?with=param"
22
    - "/some%0A/%0D"
23
    - "/%73%6f%6d%65%0A/%0D"
24
    - "/%00test%20"
25
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
26
    - "/test/..;/..;/"
27
    - "/xyz/%25u2s/%25invalid"
28
    - "//CFIDE/wizards/common/utils.cfc"
29

30
# Test all templates with FullURLs
31
http:
32
  - raw:
33
    # relative path without leading slash with param
34
    # If relative path does not have `/` prefix it is autocorrected 
35
      - |+
36
        GET 1337?with=param HTTP/1.1 
37
        Host: scanme.sh
38
    # url encoded characters in path
39
      - |+
40
        GET /some%0A/%0D HTTP/1.1
41
        Host: scanme.sh
42
    # percent encoded characters in path
43
    # In URL encoding only key characters are encoded 
44
    # while in percent encoding all characters are url encoded (similar to burp decoder)
45
      - |+
46
        GET /%73%6f%6d%65%0A/%0D HTTP/1.1
47
        Host: scanme.sh
48
    # test null and % chars in path
49
      - |+
50
        GET /%00test%20 HTTP/1.1
51
        Host: scanme.sh
52
    # test payload integrity in parameter
53
      - |+
54
        GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
55
        Host: scanme.sh
56
    # test for missing trailing slash
57
      - |+
58
        GET /test/..;/..;/ HTTP/1.1
59
        Host: scanme.sh
60
        Origin: {{BaseURL}}
61
    # test relative path with invalid/corrupted characters
62
    # In such case instead of error or panic nuclei escaped unsupported character (i.e /xyz/%25u2s/%25invalid)
63
    # if template requires this condition to not escape unsupported characters. It can only be done in unsafe raw requests
64
      - |+
65
        GET /xyz/%u2s/%invalid HTTP/1.1
66
        Host: scanme.sh
67
    # test relative path start with //
68
      - |+
69
        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
70
        Host: scanme.sh
71

72
    matchers:
73
      - type: status
74
        status:
75
          - 200
76
  # Same testcases as mentioned above but in path based request format
77
  - method: GET
78
    path:
79
     - "{{BaseURL}}/1337?with=param"
80
     - "{{BaseURL}}/some%0A/%0D"
81
     - "{{BaseURL}}/%73%6f%6d%65%0A/%0D"
82
     - "{{BaseURL}}/%00test%20"
83
     - "{{BaseURL}}/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
84
     - "{{BaseURL}}/test/..;/..;/"
85
     - "{{BaseURL}}/xyz/%u2s/%invalid"
86
     - "{{BaseURL}}//CFIDE/wizards/common/utils.cfc"
87

88
    matchers:
89
    - type: status
90
      status:
91
        - 200
92

93
Product

Resources

Company
