Nuclei supports fuzzing of HTTP requests based on rules defined in the fuzzing
section of the HTTP request. This allows creating templates for generic Web Application vulnerabilities like SQLi, SSRF, CMDi, etc without any information of the target like a classic web fuzzer.
Part specifies what part of the request should be fuzzed based on the specified rules. Available options for this parameter are -
default
) - fuzz query parameters for URLSupport will be added for path
,header
,body
,cookie
, etc parts soon.
Type specifies the type of replacement to perform for the fuzzing rule value. Available options for this parameter are -
default
) - replace the value with payloadMode specifies the mode in which to perform the replacements. Available modes are -
default
) - replace all values at onceNote: default values are set/used when other options are not defined.
Multiple filters are supported to restrict the scope of fuzzing to only interesting parameter keys and values. Nuclei HTTP Fuzzing engine converts request parts into Keys and Values which then can be filtered by their related options.
The following filter fields are supported -
These filters can be used in combination to run highly targeted fuzzing based on the parameter input. A few examples of such filtering are provided below.
Fuzz specifies the values to replace with a type
for a parameter. It supports payloads, DSL functions, etc and allows users to fully utilize the existing nuclei feature-set for fuzzing purposes.
An example sample template for fuzzing XSS vulnerabilities is provided below.
More complete examples are provided here
Nuclei supports fuzzing of HTTP requests based on rules defined in the fuzzing
section of the HTTP request. This allows creating templates for generic Web Application vulnerabilities like SQLi, SSRF, CMDi, etc without any information of the target like a classic web fuzzer.
Part specifies what part of the request should be fuzzed based on the specified rules. Available options for this parameter are -
default
) - fuzz query parameters for URLSupport will be added for path
,header
,body
,cookie
, etc parts soon.
Type specifies the type of replacement to perform for the fuzzing rule value. Available options for this parameter are -
default
) - replace the value with payloadMode specifies the mode in which to perform the replacements. Available modes are -
default
) - replace all values at onceNote: default values are set/used when other options are not defined.
Multiple filters are supported to restrict the scope of fuzzing to only interesting parameter keys and values. Nuclei HTTP Fuzzing engine converts request parts into Keys and Values which then can be filtered by their related options.
The following filter fields are supported -
These filters can be used in combination to run highly targeted fuzzing based on the parameter input. A few examples of such filtering are provided below.
Fuzz specifies the values to replace with a type
for a parameter. It supports payloads, DSL functions, etc and allows users to fully utilize the existing nuclei feature-set for fuzzing purposes.
An example sample template for fuzzing XSS vulnerabilities is provided below.
More complete examples are provided here