Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
projectdiscovery
GitHub Repository: projectdiscovery/nuclei
 Path: blob/dev/pkg/fuzz/fuzz.go
2070 views
1
package fuzz

2


3
import (

4
	"regexp"

5
	"strings"

6


7
	"github.com/projectdiscovery/nuclei/v3/pkg/protocols"

8
	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators"

9
)

10


11
// Rule is a single rule which describes how to fuzz the request

12
type Rule struct {

13
	// description: |

14
	//   Type is the type of fuzzing rule to perform.

15
	//

16
	//   replace replaces the values entirely. prefix prefixes the value. postfix postfixes the value

17
	//   and infix places between the values.

18
	// values:

19
	//   - "replace"

20
	//   - "prefix"

21
	//   - "postfix"

22
	//   - "infix"

23
	Type     string `yaml:"type,omitempty" json:"type,omitempty" jsonschema:"title=type of rule,description=Type of fuzzing rule to perform,enum=replace,enum=prefix,enum=postfix,enum=infix,enum=replace-regex"`

24
	ruleType ruleType

25
	// description: |

26
	//   Part is the part of request to fuzz.

27
	// values:

28
	//   - "query"

29
	//   - "header"

30
	//   - "path"

31
	//   - "body"

32
	//   - "cookie"

33
	//   - "request"

34
	Part     string `yaml:"part,omitempty" json:"part,omitempty" jsonschema:"title=part of rule,description=Part of request rule to fuzz,enum=query,enum=header,enum=path,enum=body,enum=cookie,enum=request"`

35
	partType partType

36
	// description: |

37
	//   Parts is the list of parts to fuzz. If multiple parts need to be

38
	//   defined while excluding some, this should be used instead of singular part.

39
	// values:

40
	//   - "query"

41
	//   - "header"

42
	//   - "path"

43
	//   - "body"

44
	//   - "cookie"

45
	//   - "request"

46
	Parts []string `yaml:"parts,omitempty" json:"parts,omitempty" jsonschema:"title=parts of rule,description=Part of request rule to fuzz,enum=query,enum=header,enum=path,enum=body,enum=cookie,enum=request"`

47


48
	// description: |

49
	//   Mode is the mode of fuzzing to perform.

50
	//

51
	//   single fuzzes one value at a time. multiple fuzzes all values at same time.

52
	// values:

53
	//   - "single"

54
	//   - "multiple"

55
	Mode     string `yaml:"mode,omitempty" json:"mode,omitempty" jsonschema:"title=mode of rule,description=Mode of request rule to fuzz,enum=single,enum=multiple"`

56
	modeType modeType

57


58
	// description: |

59
	//   Keys is the optional list of key named parameters to fuzz.

60
	// examples:

61
	//   - name: Examples of keys

62
	//     value: >

63
	//       []string{"url", "file", "host"}

64
	Keys    []string `yaml:"keys,omitempty" json:"keys,omitempty" jsonschema:"title=keys of parameters to fuzz,description=Keys of parameters to fuzz"`

65
	keysMap map[string]struct{}

66
	// description: |

67
	//   KeysRegex is the optional list of regex key parameters to fuzz.

68
	// examples:

69
	//   - name: Examples of key regex

70
	//     value: >

71
	//       []string{"url.*"}

72
	KeysRegex []string `yaml:"keys-regex,omitempty" json:"keys-regex,omitempty" jsonschema:"title=keys regex to fuzz,description=Regex of parameter keys to fuzz"`

73
	keysRegex []*regexp.Regexp

74
	// description: |

75
	//   Values is the optional list of regex value parameters to fuzz.

76
	// examples:

77
	//   - name: Examples of value regex

78
	//     value: >

79
	//       []string{"https?://.*"}

80
	ValuesRegex []string `yaml:"values,omitempty" json:"values,omitempty" jsonschema:"title=values regex to fuzz,description=Regex of parameter values to fuzz"`

81
	valuesRegex []*regexp.Regexp

82


83
	// description: |

84
	//   Fuzz is the list of payloads to perform substitutions with.

85
	// examples:

86
	//   - name: Examples of fuzz

87
	//     value: >

88
	//       []string{"{{ssrf}}", "{{interactsh-url}}", "example-value"}

89
	//      or

90
	//       x-header: 1

91
	//       x-header: 2

92
	Fuzz SliceOrMapSlice `yaml:"fuzz,omitempty" json:"fuzz,omitempty" jsonschema:"title=payloads of fuzz rule,description=Payloads to perform fuzzing substitutions with"`

93
	// description: |

94
	//  replace-regex is regex for regex-replace rule type

95
	//  it is only required for replace-regex rule type

96
	// examples:

97
	//   - type: replace-regex

98
	//     replace-regex: "https?://.*"

99
	ReplaceRegex string         `yaml:"replace-regex,omitempty" json:"replace-regex,omitempty" jsonschema:"title=replace regex of rule,description=Regex for regex-replace rule type"`

100
	replaceRegex *regexp.Regexp `yaml:"-" json:"-"`

101
	options      *protocols.ExecutorOptions

102
	generator    *generators.PayloadGenerator

103
}

104


105
// ruleType is the type of rule enum declaration

106
type ruleType int

107


108
const (

109
	replaceRuleType ruleType = iota + 1

110
	prefixRuleType

111
	postfixRuleType

112
	infixRuleType

113
	replaceRegexRuleType

114
)

115


116
var stringToRuleType = map[string]ruleType{

117
	"replace":       replaceRuleType,

118
	"prefix":        prefixRuleType,

119
	"postfix":       postfixRuleType,

120
	"infix":         infixRuleType,

121
	"replace-regex": replaceRegexRuleType,

122
}

123


124
// partType is the part of rule enum declaration

125
type partType int

126


127
const (

128
	queryPartType partType = iota + 1

129
	headersPartType

130
	pathPartType

131
	bodyPartType

132
	cookiePartType

133
	requestPartType

134
)

135


136
var stringToPartType = map[string]partType{

137
	"query":   queryPartType,

138
	"header":  headersPartType,

139
	"path":    pathPartType,

140
	"body":    bodyPartType,

141
	"cookie":  cookiePartType,

142
	"request": requestPartType, // request means all request parts

143
}

144


145
// modeType is the mode of rule enum declaration

146
type modeType int

147


148
const (

149
	singleModeType modeType = iota + 1

150
	multipleModeType

151
)

152


153
var stringToModeType = map[string]modeType{

154
	"single":   singleModeType,

155
	"multiple": multipleModeType,

156
}

157


158
// matchKeyOrValue matches key value parameters with rule parameters

159
func (rule *Rule) matchKeyOrValue(key, value string) bool {

160
	if len(rule.keysMap) == 0 && len(rule.valuesRegex) == 0 && len(rule.keysRegex) == 0 {

161
		return true

162
	}

163
	if value != "" {

164
		for _, regex := range rule.valuesRegex {

165
			if regex.MatchString(value) {

166
				return true

167
			}

168
		}

169
	}

170
	if (len(rule.keysMap) > 0 || len(rule.keysRegex) > 0) && key != "" {

171
		if _, ok := rule.keysMap[strings.ToLower(key)]; ok {

172
			return true

173
		}

174
		for _, regex := range rule.keysRegex {

175
			if regex.MatchString(key) {

176
				return true

177
			}

178
		}

179
	}

180
	return false

181
}

182


183