1
id: raw-unsafe-path
2

3
info:
4
  name: Test RAW Unsafe Paths
5
  author: pd-team
6
  severity: info
7
  description: >
8
    - https://github.com/projectdiscovery/nuclei/pull/3211
9
    - https://github.com/projectdiscovery/nuclei/pull/3127
10
  reference:
11
    # adding expected results here for context and debugging
12
    - "1337"
13
    - "1337?with=param"
14
    - "/some%0A/%0D"
15
    - "/%20test%0a"
16
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
17
    - "/test/..;/..;/"
18
    - "/xyz/%u2s/%invalid"
19
    - "//CFIDE/wizards/common/utils.cfc"
20

21

22
# Test all unsafe URL Handling Edgecases
23
http:
24
  - raw:
25
    # relative path without leading slash
26
      - |+
27
        GET 1337 HTTP/1.1 
28
        Host: scanme.sh
29
    # same but with param
30
      - |+
31
        GET 1337?with=param HTTP/1.1 
32
        Host: scanme.sh
33
    # url encoded characters in path
34
      - |+
35
        GET /some%0A/%0D HTTP/1.1
36
        Host: scanme.sh
37
    # test unsupported  chars in path
38
      - |+
39
        GET /%20test%0a HTTP/1.1
40
        Host: scanme.sh
41
    # test payload integrity params
42
      - |+
43
        GET /text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d HTTP/1.1
44
        Host: scanme.sh
45
    # test for missing trailing slash
46
      - |+
47
        GET /test/..;/..;/ HTTP/1.1
48
        Host: scanme.sh
49
        Origin: {{BaseURL}}
50
    # test relative path with invalid/corrupted characters
51
      - |+
52
        GET /xyz/%u2s/%invalid HTTP/1.1
53
        Host: scanme.sh
54
    # test relative path start with // (should not be removed)
55
      - |+
56
        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
57
        Host: scanme.sh
58

59
    unsafe: true
60
    matchers:
61
      - type: status
62
        status:
63
          - 200
64

65