Fuzzing Overview
Learn about fuzzing HTTP requests with Nuclei
Nuclei supports fuzzing of HTTP requests based on rules defined in the fuzzing
section of the HTTP request. This allows creating templates for generic Web Application vulnerabilities like SQLi, SSRF, CMDi, etc without any information of the target like a classic web fuzzer.
Part
Part specifies what part of the request should be fuzzed based on the specified rules. Available options for this parameter are -
- query (
default
) - fuzz query parameters for URL
Support will be added for path
,header
,body
,cookie
, etc parts soon.
Type
Type specifies the type of replacement to perform for the fuzzing rule value. Available options for this parameter are -
- replace (
default
) - replace the value with payload - prefix - prefix the value with payload
- postfix - postfix the value with payload
- infix - infix the value with payload (place in between)
Mode
Mode specifies the mode in which to perform the replacements. Available modes are -
- multiple (
default
) - replace all values at once - single - replace one value at a time
Note: default values are set/used when other options are not defined.
Filters
Multiple filters are supported to restrict the scope of fuzzing to only interesting parameter keys and values. Nuclei HTTP Fuzzing engine converts request parts into Keys and Values which then can be filtered by their related options.
The following filter fields are supported -
- keys - list of parameter names to fuzz (exact match)
- keys-regex - list of parameter regex to fuzz
- values - list of value regex to fuzz
These filters can be used in combination to run highly targeted fuzzing based on the parameter input. A few examples of such filtering are provided below.
Fuzz
Fuzz specifies the values to replace with a type
for a parameter. It supports payloads, DSL functions, etc and allows users to fully utilize the existing nuclei feature-set for fuzzing purposes.
Example Fuzzing template
An example sample template for fuzzing XSS vulnerabilities is provided below.
More complete examples are provided here
Was this page helpful?