Releases: projectdiscovery/nuclei
v3.3.2
What's Changed
🎉 New Features
- Added
ActionWaitDialog
type in headless protocol to simplify XSS detection by @dwisiswant0 in #5545
See docs for more details.
🔨 Maintenance
- Migrated issue template to issue form by @dwisiswant0 in #5538
- Upgraded gitlab api version by @AdallomRoy in #5551
⚠️ Security
- Fixed security issue in template
signer
package by @GuyGoldenberg @dogancanbakir @Mzack9999 in 0da993a
See GitHub security advisories for detailed information.
Other Changes
- Added jira config to accept issue-type id and project id as optional input by @Ice3man543 in #5537
- Fixed issue with
-ms
option to scan non accessible host by @dogancanbakir in #5576 - Fixed race condition issue by @dogancanbakir in #5547
- Fixed panic in list input with dast option by @dwisiswant0 in #5558
New Contributors
- @AdallomRoy made their first contribution in #5551
- @PeterDaveHello made their first contribution in #5578
- @linchizhen made their first contribution in #5586
Full Changelog: v3.3.1...v3.3.2
v3.3.1
What's Changed
🎉 New Features
- Added
team-id
option to upload results to specific team workspace by @RamanaReddy0M in #5523
Option:
-tid, -team-id string upload scan results to given team id (optional) (default "none")
Example:
nuclei -pt dns -u example.com -cloud-upload -team-id cqlmoalcm2sc73eut1b0
- Added redaction support in output file by @dogancanbakir in #5463
Option:
-rd, -redact string[] redact given list of keys from query parameter, request header and body
Example:
nuclei -pt dns -u example.com -redact api_key,x-api-key,user-agent
- Added support for multiple auth strategies per target from secret file by @RamanaReddy0M in #5500
- Added support to generate matcher-status event for javascript protocol by @tarunKoyalwar in #5450
- Added workflows in SDK example by @alban-stourbe-wmx in #5409
- Added
skip-secret-file
template attribute to disable auth per template by @dwisiswant0 in #5522
🐞 Bug Fixes
- Fixed
FileAuthProvider
stores the same strategy for each entry by @mrschyte in #5474 - Fixed circular references in OpenAPI parsing(fuzzing) by @trypa11 in #5491
- Fixed file protocol missing vars in flow & multi-protocol by @tarunKoyalwar in #5480
- Fixed issue assign
customHeaders
to the map directly by @dwisiswant0 in #5445 - Fixed issue with input transformation to multi-protocol templates by @mhmdiaa in #5426
- Fixed missing close statements
file.Close()
&ticker.Stop()
by @ShuBo6 in #5436 - Fixed nil panic by @tarunKoyalwar in #5473
- Fixed server URL path for OpenAPI parsing by @trypa11 in #5504
- Fixed unresolved
interactsh-url
variable with fuzzing by @RamanaReddy0M in #5289 - Fixed unresolved variables error with dast templates by @RamanaReddy0M in #5443
🔨 Maintenance
- ci: don't clean modules cache by @dwisiswant0 in #5519
- ci: use composite actions by @dwisiswant0 in #5483
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/61?closed=1
New Contributors
- @fudancoder made their first contribution in #5432
- @ShuBo6 made their first contribution in #5436
- @Jarnpher553 made their first contribution in #5419
- @mhmdiaa made their first contribution in #5426
- @alban-stourbe-wmx made their first contribution in #5409
- @mrschyte made their first contribution in #5474
- @trypa11 made their first contribution in #5504
Full Changelog: v3.3.0...v3.3.1
v3.3.0
What's Changed
🐞 Bug Fixes
- Fixed security issue with use of custom workflows by @Mzack9999 in #5318
- Fixed issue to reduce memory usage by javascript templates by @Mzack9999 in #5291
- Fixed target loading issue with
-input-mode
option by @RamanaReddy0M in #5369 - Fixed issue with
stop-at-first-match
option in headless mode with fuzzing by @RamanaReddy0M in #5330 - Fixed issue with ldap search function by @tarunKoyalwar in #5356
- Fixed issue with
ExecuteWithResults
function not returning expected results (SDK) by @boy-hack in #5376
Other Changes
- Added
cname
information in http protocol when available by @tarunKoyalwar in #5389 - Added goja function (
isUDPPortOpen
) to check UDP port by @RamanaReddy0M in #5397 - Added sdk option to disable update check (SDK) by @dogancanbakir in #5346
- Added support to use
fs.FS
when explicitly given (SDK) by @doug-threatmate in #5312 - Added timeouts config in
types.Options
(SDK) by @dogancanbakir in #5228 - Improved ldap output with custom type to return additional information by @tarunKoyalwar in #5387
- Improved template clustering performance by @KristinnVikar in #5319
Caution
In this release, with the changes in #5228, the following options have been removed from the CLI. They are now configured implicitly and can be customized via SDK usage.
-dt, -dialer-timeout value timeout for network requests.
-rrt, -response-read-timeout value response read timeout in seconds (default 5s)
New Contributors
- @KristinnVikar made their first contribution in #5319
- @boy-hack made their first contribution in #5376
Full Changelog: v3.2.9...v3.3.0
v3.2.9
What's Changed
🎉 New Features
- Fuzzing feature enhancements by @Ice3man543 in #5139
- Added
part: request
to fuzz all the keys in request with fuzzing templates. - Added
-fuzz-aggression
CLI option to control fuzz aggression via template. - Added
-fuzz-param-frequency
option to control counter for skipping uninteresting parameter. - Added
-display-fuzz-points
option to display fuzzing points (for debugging).
- Added
- PDCP Team ID input support via environment variable to upload results into team account by @tarunKoyalwar in #5295
export PDCP_TEAM_ID=cphlrbmnr2khg33n6ik1
Note
Team ID is optional input and can be obtained from https://cloud.projectdiscovery.io/settings/team. If provided, results will be uploaded to the team account instead of your personal account.
🐞 Bug Fixes
- Fixed slow scan for hosts blocked WAF or getting timed out by @Mzack9999 in #5275
- Fixed issues with multi-thread execution by @Mzack9999 in #5187
- Fixed panic on failed raw request by @tarunKoyalwar in #5230
- Fixed
ExecuteCallbackWithCtx
to use the context that was provided by @doug-threatmate in #5236 - Fixed nil deref err in reporting by @dogancanbakir in #5283
- Fixed
types.RequestResponse
url fieldUnmarshalJSON
by @LazyMaple in #5267 - Fixed tempalte validation by @RamanaReddy0M in #5261
- Fixed severity filter for per tracker reporting filters by @Ice3man543 in #5297
Other Changes
- Added Spanish translation of README by @MachadoOtto in #5242
- Added Japanese translation of README by @eltociear in #5259
- Added timestamp in error log (
-elog
) with-ts
option by @oscarintherocks in #5292
New Contributors
- @doug-threatmate made their first contribution in #5236
- @MachadoOtto made their first contribution in #5242
- @eltociear made their first contribution in #5259
- @oscarintherocks made their first contribution in #5292
- @LazyMaple made their first contribution in #5267
Full Changelog: v3.2.8...v3.2.9
v3.2.8
What's Changed
🐞 Bug Fixes
- Fixed multiple bug fixes + performance improvements by @tarunKoyalwar in #5148
- Fixed more goroutine leaks by @Ice3man543 in #5188
- Fixed issue network interface selection in case of multiple interface by @Mzack9999 in #5186
- Fixed issue with ssl protocol in case of multi request by @Mzack9999 in #5203
Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/58?closed=1
Full Changelog: v3.2.7...v3.2.8
v3.2.7
What's Changed
🎉 New Features
- Added support for multiple search query in templates to run with
-uncover
option by @RamanaReddy0M in #5132 - Added
-scan-name
input support for pdcp result upload by @tarunKoyalwar in #5155
-sname, -scan-name string scan name to set (optional)
🐞 Bug Fixes
- Fixed race condition (panic) in host spray mode by @Mzack9999 in #5168
- Fixed a bug for multiple input with
-u
option by @dogancanbakir in #5147 - Fixed a bug in issue reporting with severity filter by @Ice3man543 in #5166
- Fixed a bug in pdcp result upload for results with no severity by @tarunKoyalwar in #5155
Other Changes
- Added context support in sdk by @tarunKoyalwar in #5154
Full Changelog: v3.2.6...v3.2.7
v3.2.6
What's Changed
- Fixed goroutine leaks causing spike in memory uses by @tarunKoyalwar in #5112
- Added
-profile
and-profile-list
option to run template using template profile by @RamanaReddy0M in #5125
$ ./nuclei -tpl
profiles/aws-cloud-config.yml (aws-cloud-config)
profiles/bugbounty.yml (bugbounty)
profiles/cloud.yml (cloud)
profiles/compliance.yml (compliance)
profiles/osint.yml (osint)
profiles/pentest.yml (pentest)
profiles/privilege-escalation.yml (privilege-escalation)
profiles/recommended.yml (recommended)
$ ./nuclei -profile aws-cloud-config
- Added template tags list (
-tgl
) option by @rsrdesarrollo in #4798
$ ./nuclei -silent -tgl | head -n 10
cve (2416)
panel (1122)
wordpress (956)
exposure (895)
xss (890)
wp-plugin (836)
osint (804)
tech (673)
lfi (646)
misconfig (598)
- Added fuzzing output enhancements by @Ice3man543 in #5126
New Contributors
- @socialsister made their first contribution in #5110
- @rsrdesarrollo made their first contribution in #4798
Full Changelog: v3.2.5...v3.2.6
v3.2.5
What's Changed
🎉 New Features
- Added query variable to read param values by @dogancanbakir in #4894
- Added SRV query in dns protocol by @Mzack9999 in #5034
- Added response read timeout flag for network request by @dogancanbakir in #4944
- Added networkpolicy to httpx probes by @Mzack9999 in #5036
- Added context vars in code and multi protocol by @tovask in #5051
- Added nuclei stats / chart utils by @tarunKoyalwar in #5032
- Added support for context cancellation to engine (SDK) by @Ice3man543 in #5096
- Added support for user provided catalog (SDK) by @scottdharvey in #5060
- Added embedded api for settings control in CLI modality (WIP) by @Mzack9999 in #5030
- Added initial refactor for speed control (WIP) by @Mzack9999 in #4986
🐞 Bug Fixes
- Fixed internal resolver override by @Mzack9999 in #5035
- Fixed issue to run workflow subtemplates with new scancontext by @tovask in #5031
- Fixed issue with
max-size
input in template by @dogancanbakir in #5100 - Fixed issue with
skip-variables-check
with self-contained templates by @RamanaReddy0M in #5053 - Fixed issue with close res body in elastic export by @testwill in #5025
- Fixed issue with jsonl input format not working with fuzzing by @Ice3man543 in #5063
- Fixed issue with mhe check in http payloads by @tarunKoyalwar in #5099
- Fixed openapi import nil panic by @dogancanbakir in #5080
- Fixed panic in template validation by @RamanaReddy0M in #5065
- Fixed panic using flow / workflow templates by @RamanaReddy0M in #5064
- Fixed panic with fuzz template by @RamanaReddy0M in #5068
- Fixed issue with case-sensitive links in template reference by @RamanaReddy0M in #5098
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/55?closed=1
New Contributors
- @tovask made their first contribution in #5031
- @testwill made their first contribution in #5025
- @lvyaoting made their first contribution in #5008
- @zrquan made their first contribution in #5038
- @scottdharvey made their first contribution in #5060
Full Changelog: v3.2.4...v3.2.5
v3.2.4
What's Changed
- Fixed an issue for templates with dynamic extractor + payloads edgecase by @tarunKoyalwar in #5016
- Fixed missing JSON schema definitions by @RamanaReddy0M in #4995
- Fixed index out of range panic with fuzzing templates by @tarunKoyalwar in #4998
- Fixed missing interactsh expression evaluation in fuzzing template by @tarunKoyalwar in #5019
- Fixed missing IP in javascript templates by @tarunKoyalwar in #5023
- Fixed invalid port in jsonl output for ssl templates by @tarunKoyalwar in #5023
- Added ASREProastable method in LDAP module by @daffainfo in #4990
New Contributors
- @hanghuge made their first contribution in #5004
- @daffainfo made their first contribution in #4990
Full Changelog: v3.2.3...v3.2.4
v3.2.3
Important
Nuclei Templates for dynamic application security testing (DAST), which were maintained in a separate project at fuzzing-templates, are now being moved to the nuclei-templates project. This way, they can be made available for use with the default nuclei installation with the upcoming release of the template project. These templates will be disabled as default but can be used with the -dast
option.
More information of fuzzing support: https://blog.projectdiscovery.io/nuclei-fuzzing-for-unknown-vulnerabilities/
What's Changed
- Added
-dast
option to run all and only dast (fuzz) templates by @tarunKoyalwar in #4941 - Added
pre-condition
attribute in Code and DAST templates by @tarunKoyalwar in #4966 - Fixed multiple panic crash by @tarunKoyalwar in #4978
- Fixed multiple issues with query parameter fuzzing by @tarunKoyalwar in #4925
- Fixed issue with
{{interactsh-url}}
variable not working with nested variables by @tarunKoyalwar in #4941 - Fixed issue with
-ms
option for templates using flow by @tarunKoyalwar in #4978 - Fixed issue with
-ms
option generating blank target & template by @tarunKoyalwar in #4969 - Fixed issue with sarif version by @tibbon in #4976
- Fixed issue
-no-color
output by @dogancanbakir in #4954 - Updated outdated JSONSchema library by @kchason in #4943
New Contributors
Full Changelog: v3.2.2...v3.2.3