sometimes follows redirects.

[Phoenix1112]

Is there an existing issue for this?

• I have searched the existing issues.

Current Behavior

I prepared a template that matches the 302 status code and two conditions in the header.

id: CVE-111-111

info:
  name: redirect test
  author: hacktivist1337
  severity: critical
  reference:
    - https://example.com
  description: test
  tags: cve

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?link=https://www.google.com%23proapp.angi.com"

    matchers-condition: and
    host-redirects: false
    redirects: false
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(header, "google.com") && contains(header, "#proapp.angi")'
        condition: and

This template works sometimes and sometimes doesn't.

nuclei -u https://proapp.angi.com -t CVE-111-111.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.5

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.5 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-111-111] [http] [critical] https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com

If you look at the terminal screen, open redirect was found in a few tries above, but could not be found at the bottom.

I wanted to see what was going on using the -debug command.

root@localhost:~/technology/nuclei-yeni-templatem# nuclei -u https://proapp.angi.com -t CVE-111-111.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.5

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.5 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-111-111] Dumped HTTP request for https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com

GET /?link=https://www.google.com%23proapp.angi.com HTTP/1.1
Host: proapp.angi.com
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-111-111] Dumped HTTP response https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com

HTTP/1.1 302 Found
Connection: close
Accept-Ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Accept-Ranges: bytes
Alt-Svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Security-Policy: script-src 'report-sample' 'nonce-uShvc_gKJ2U1x376g3A3JA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DurableDeepLinkUi/cspreport;worker-src 'self',script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://www.googleapis.com/appsmarket/v2/installedApps/;report-uri /_/DurableDeepLinkUi/cspreport/allowlist,require-trusted-types-for 'script';report-uri /_/DurableDeepLinkUi/cspreport
Content-Type: application/binary
Cross-Origin-Opener-Policy: unsafe-none
Cross-Origin-Resource-Policy: same-site
Date: Mon, 18 Nov 2024 15:26:28 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Location: https://www.google.com#proapp.angi.com
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Pragma: no-cache
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, x-fh-requested-host, accept-encoding
X-Cache: MISS
X-Cache-Hits: 0
X-Served-By: cache-sjc1000104-SJC
X-Timer: S1731943588.908645,VS0,VE151
Content-Length: 0

[CVE-111-111:dsl-1] [http] [critical] https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com







root@localhost:~/technology/nuclei-yeni-templatem# nuclei -u https://proapp.angi.com -t CVE-111-111.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.5

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.5 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-111-111] Dumped HTTP request for https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com

GET /?link=https://www.google.com%23proapp.angi.com HTTP/1.1
Host: proapp.angi.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.6.17
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-111-111] Dumped HTTP response https://proapp.angi.com/?link=https://www.google.com%23proapp.angi.com

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Accept-Ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Accept-Ranges: bytes
Alt-Svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DurableDeepLinkUi/cspreport,script-src 'nonce-kPQXQbT-nxrysFALKgPS3w' 'unsafe-inline';object-src 'self';base-uri 'self';report-uri /_/DurableDeepLinkUi/cspreport;worker-src 'self',script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://www.googleapis.com/appsmarket/v2/installedApps/;report-uri /_/DurableDeepLinkUi/cspreport/allowlist
Content-Type: text/html; charset=utf-8
Cross-Origin-Opener-Policy: unsafe-none
Cross-Origin-Resource-Policy: same-site
Date: Mon, 18 Nov 2024 15:26:32 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Pragma: no-cache
Reporting-Endpoints: default="/_/DurableDeepLinkUi/web-reports?context=eJzjctHikmLw0pBiUAzbySTx9SWTBhA7pc9gDQLi1pvnWKcCcdK_86xFQGyocInVEYhVey6xmgJxkcQV1iYgFuLhWLHz7U42gY6us2sYlTSS8gvjU0qLEpNyUlNSUwtyMvOyi1OLylKL4o0MjEwMDQ3M9Qws4gsMAIMnLjg"
Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, x-fh-requested-host, accept-encoding
X-Cache: MISS
X-Cache-Hits: 0
X-Served-By: cache-sjc1000144-SJC
X-Timer: S1731943592.245384,VS0,VE128
X-Ua-Compatible: IE=edge

<!doctype html><html lang="en-US" dir="ltr"><head><base href="https://proxy.link.app/"><link rel="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><link rel="canonical" href="https://proxy.link.app/560713350689/proapp.angi.com/"><meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,minimal-ui"><link rel="shortcut icon" href="//www.gstatic.com/mobilesdk/160503_mobilesdk/logo/1x/firebase_64dp.png"><script data-id="_gd" nonce="kPQXQbT-nxrysFALKgPS3w">window.WIZ_global_data = {"DpimGf":false,"EP1ykd":["/_/*","/accounts/*"],"FdrFJe":"1031762709057606958","Im6cmf":"/_/DurableDeepLinkUi","LVIXXb":1,"LoQv7e":false,"MT7f9b":[],"MUE6Ne":"DurableDeepLinkUi","QrtxK":"","S06Grb":"","S6lZl":111881503,"TSDtV":"%.@.[[null,[[45459555,null,false,null,null,null,\"Imeoqb\"],[45453720,null,false,null,null,null,\"GkrBt\"]],\"CAMSCx0O5fu4KQi1nA0I\"]]]","UUFaWc":"%[email protected],1000,2]","Vvafkd":false,"cfb2h":"boq_durabledeeplinkserver_20241107.08_p0","eNnkwf":"","eptZe":"/_/DurableDeepLinkUi/","fPDxwd":[97517170,97684533],"gGcLoe":false,"iCzhFc":true,"nQyAE":{"GkrBt":"false"},"p9hQne":"https://www.gstatic.com/_/boq-devplatform/_/r/","qwAQke":"DurableDeepLinkUi","qymVe":"","rtQCxc":480,"u4g7r":"%[email protected],1000,2]","w2btAe":"%[email protected],null,\"\",false,null,null,true,false]","xn5OId":false,"xnI9P":true,"xwAfE":true,"y2FhP":"prod","yFnxrf":1884,"zChJod":"%[email protected]]"};</script><script nonce="kPQXQbT-nxrysFALKgPS3w">(function(){'use strict';var a=window,d=a.performance,l=k();a.cc_latency_start_time=d&&d.now?0:d&&d.timing&&d.timing.navigationStart?d.timing.navigationStart:l;function k(){return d&&d.now?d.now():(new Date).getTime()}function n(e){if(d&&d.now&&d.mark){var g=d.mark(e);if(g)return g.startTime;if(d.getEntriesByName&&(e=d.getEntriesByName(e).pop()))return e.startTime}return k()}a.onaft=function(){n("aft")};a._isLazyImage=function(e){return e.hasAttribute("data-src")||e.hasAttribute("data-ils")||e.getAttribute("loading")==="lazy"};
a.l=function(e){function g(b){var c={};c[b]=k();a.cc_latency.push(c)}function m(b){var c=n("iml");b.setAttribute("data-iml",c);return c}a.cc_aid=e;a.iml_start=a.cc_latency_start_time;a.css_size=0;a.cc_latency=[];a.ccTick=g;a.onJsLoad=function(){g("jsl")};a.onCssLoad=function(){g("cssl")};a._isVisible=function(b,c){if(!c||c.style.display=="none")return!1;var f=b.defaultView;if(f&&f.getComputedStyle&&(f=f.getComputedStyle(c),f.height=="0px"||f.width=="0px"||f.visibility=="hidden"))return!1;if(!c.getBoundingClientRect)return!0;
var h=c.getBoundingClientRect();c=h.left+a.pageXOffset;f=h.top+a.pageYOffset;if(f+h.height<0||c+h.width<0||h.height<=0||h.width<=0)return!1;b=b.documentElement;return f<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth||b.clientWidth)};a._recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;b.tagName!="IMG"||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),b!==-1&&(b=a.aft_counter.splice(b,
1).length===1,a.aft_counter.length===0&&b&&c)))a.onaft(c)},!0);a.prt=-1;a.wiz_tick=function(){var b=n("prt");a.prt=b}};}).call(this);
***************************************

When I run it at the top, it returns a 302 status code, but when I run it at the bottom, the status code 200 is returned and the google.com source code appears.From here we understand that there is a problem with the routing mechanism. It automatically redirects to google.com and therefore no security vulnerability can be found.

Expected Behavior

If redirects is not set to true, no redirect should occur. Although the page should not redirect, in the above explanation, sometimes it redirects automatically.

Steps To Reproduce

Run it about 10 times in a row and you will see that the redirect will not be found.(10 times is just an estimate. Most of the time there will find vulnerabilities. But there will be times when it cannot be found.)

nuclei -u https://proapp.angi.com -t CVE-111-111.yaml

Relevant log output

Environment

- Nuclei:

Anything else?

No response