v3.3.6

⚠️ Breaking Changes:

• The -enable-self-contained or -esc flag is now required to load self-contained templates.
• The -file flag must be used to enable loading file templates.

What's Changed

🎉 New Features

• Added analyzer support and time based delay analyzer for DAST mode by @Ice3man543 in #5781

See Analyzer documentation here: https://docs.projectdiscovery.io/templates/protocols/http/fuzzing-overview#analyzer

• Added batch output support for JSONL output format by @kchason in #5705

Configuration options for JSONL exporter:

jsonl:
 # file is the file to export found JSONL result to
 file: ""
 # omit-raw whether to exclude the raw request and response from the output
 omit-raw: false
 # batch-size the number of records to keep in memory before writing them out to the JSONL file or 0 to disable batching (default)
 batch-size: 0

• Added ENV variable handling in dynamic secret file by @alban-stourbe-wmx in #5835

Secrets can be set using ENV variables or defined with -v and -env-vars options:

Env based secret

variables:
   - key: password
     value: $PASSWORD

Config file / Flag based secrets ( using -env-vars or -vars )

variables:
     - key: password
     - value: {{password}}

🐞Bug Fixes

• Fixed code protocol template execution issues by @tarunKoyalwar in #5767
• Fixed panic error in -stats option by @dogancanbakir in #5774
• Fixed the issue with Jira tracker related to find request by @Ice3man543 in #5798
• Fixed workflow validation logic by @dogancanbakir in #5805
• Fixed data race in protocolstate, contextargs and outdated tests by @dwisiswant0 in #5820

Other Changes

• Disabled self-contained and file protocol templates as default by @dogancanbakir in #5825
  • -esc flag (self-contained templates) is implicitly enabled when -code flag is used.
• Added SDK functions to improve nuclei store and workflow access by @iuliu8899 in #5766
• Fixed typo in headless protocol error message by @dmaciejak in #5768
• Added missing backtick in DESIGN document by @chengehe in #5789
• Improved GitHub Auto-Merge workflow by @dwisiswant0 in #5784
• Added SDK function to allow setting custom variables by @alban-stourbe-wmx in #5678
• Improved GitHub workflows to run concurrently by @dwisiswant0 in #5818

New Contributors

• @dmaciejak made their first contribution in #5768
• @chengehe made their first contribution in #5789

Full Changelog: v3.3.5...v3.3.6

v3.3.5

What's Changed

🎉 New Features

• Added support for global matchers / extractors in http templates by @dwisiswant0 in #5701
• Added support for MongoDB for results reporting by @kchason in #5688
• Added support for stop-at-first-match in network templates by @RamanaReddy0M in #5554

🐞Bug Fixes

• Fixed an issue with {{interactsh-url}} replacement in network template by @RamanaReddy0M in #5677
• Fixed issue with multipart fuzzing and support for filename, content-type in multipart by @Ice3man543 in #5702
• Fixed issue to expose ssl part definitions by @dogancanbakir in #5710
• Fixed issue boolean value on successful ldap authentication by @RamanaReddy0M in #5682
• Fixed issue with LDAP metadata collection by @RamanaReddy0M in #5683
• Fixed an issue with memguard (SDK) by @dany74q in #5714
• Fixed issue with input helper (SDK) by @iuliu8899 in #5712
• Fixed an issue with template loading logic (SDK) by @dogancanbakir in #5733

Other Changes

• Added support to generate trace file when using -profile-mem option by @dwisiswant0 in #5690
• Added support for -var-dump-limit to control response char limit with -svd option by @dwisiswant0 in #5676

See https://github.com/projectdiscovery/nuclei/milestone/64?closed=1 for all the issues closed in release.

New Contributors

• @vil02 made their first contribution in #5687
• @dany74q made their first contribution in #5714
• @iuliu8899 made their first contribution in #5712

Full Changelog: v3.3.4...v3.3.5

v3.3.4

What's Changed

• Fixed (hopefully) skipping target list as found unresponsive erroneously by @tarunKoyalwar in #5668

Full Changelog: v3.3.3...v3.3.4

v3.3.3

What's Changed

🎉 New Features

• Added linear issue tracker support by @Ice3man543 in #5601

linear:
  # api-key is the API key for the linear account
  api-key: ""
  # allow-list sets a tracker level filter to only create issues for templates with
  # these severity labels or tags (does not affect exporters. set those globally)
  deny-list:
    severity: critical
  # deny-list sets a tracker level filter to never create issues for templates with
  # these severity labels or tags (does not affect exporters. set those globally)
  deny-list:
    severity: low
  # team-id is the ID of the team in Linear
  team-id: ""
  # project-id is the ID of the project in Linear
  project-id: ""
  # duplicate-issue-check flag to enable duplicate tracking issue check
  duplicate-issue-check: false
  # open-state-id is the ID of the open state in Linear
  open-state-id: ""

See docs for more details.

• Added support to upload nuclei existing scan results to dashboard by @RamanaReddy0M in #5603

   -pdu, -dashboard-upload string  upload / view nuclei results file (jsonl) in projectdiscovery cloud (pdcp) UI dashboard

 $ ./nuclei -pdu nucle_results.jsonl 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.3

		projectdiscovery.io

[INF] Uploading scan results to cloud dashboard from test
[INF] 7 Scan results uploaded to cloud, you can view scan results at https://cloud.projectdiscovery.io/scans/crqho0h1c9fs73f1rth0?team_id=none

• Added support for additional headless lifecycle events by @dwisiswant0 in #5632

Newly supported events:

• waitdom
• waitfcp
• waitfmp
• waitidle
• waitstable

See docs for more details.

🐞Bug Fixes

• Fixed issue with max-host-error with concurrency by @dwisiswant0 in #5633
• Fixed issue with parsing OpenAPI http security schemes on empty values by @RamanaReddy0M in #5606
• Fixed loading dynamic auth templates with fuzzing by @RamanaReddy0M in #5646
• Fixed issue with MySQL connection with special characters in password by @RamanaReddy0M in #5604
• Fixed issue with WithProxy err by @dogancanbakir in #5626
• Fixed missing template_url for signed templates by @RamanaReddy0M in #5644
• Fixed nil pointer error with addCNameIfAvailable from using closed Dialer by @dwisiswant0 in #5665
• Fixed issue in event generation using -ms option with clustering by @Ice3man543 in #5653
• Fixed issue with Input Clone when the workflow execution forks by @tovask in #5621
• Fixed failing integration tests by @RamanaReddy0M in #5647

🔨 Maintenance

• Added support for fs.FS in template parsing by @doug-threatmate in #5421

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/63?closed=1

Full Changelog: v3.3.2...v3.3.3

v3.3.2

What's Changed

🎉 New Features

• Added ActionWaitDialog type in headless protocol to simplify XSS detection by @dwisiswant0 in #5545

See docs for more details.

🔨 Maintenance

• Migrated issue template to issue form by @dwisiswant0 in #5538
• Upgraded gitlab api version by @AdallomRoy in #5551

⚠️ Security

• Fixed security issue in template signer package by @GuyGoldenberg @dogancanbakir @Mzack9999 in 0da993a

See GitHub security advisories for detailed information.

Other Changes

• Added jira config to accept issue-type id and project id as optional input by @Ice3man543 in #5537
• Fixed issue with -ms option to scan non accessible host by @dogancanbakir in #5576
• Fixed race condition issue by @dogancanbakir in #5547
• Fixed panic in list input with dast option by @dwisiswant0 in #5558

New Contributors

• @AdallomRoy made their first contribution in #5551
• @PeterDaveHello made their first contribution in #5578
• @linchizhen made their first contribution in #5586

Full Changelog: v3.3.1...v3.3.2

v3.3.1

What's Changed

🎉 New Features

• Added team-id option to upload results to specific team workspace by @RamanaReddy0M in #5523

Option:

   -tid, -team-id string  upload scan results to given team id (optional) (default "none")

Example:

nuclei -pt dns -u example.com -cloud-upload -team-id cqlmoalcm2sc73eut1b0

• Added redaction support in output file by @dogancanbakir in #5463

Option:

   -rd, -redact string[]  redact given list of keys from query parameter, request header and body

Example:

nuclei -pt dns -u example.com -redact api_key,x-api-key,user-agent

• Added support for multiple auth strategies per target from secret file by @RamanaReddy0M in #5500
• Added support to generate matcher-status event for javascript protocol by @tarunKoyalwar in #5450
• Added workflows in SDK example by @alban-stourbe-wmx in #5409
• Added skip-secret-file template attribute to disable auth per template by @dwisiswant0 in #5522

🐞 Bug Fixes

• Fixed FileAuthProvider stores the same strategy for each entry by @mrschyte in #5474
• Fixed circular references in OpenAPI parsing(fuzzing) by @trypa11 in #5491
• Fixed file protocol missing vars in flow & multi-protocol by @tarunKoyalwar in #5480
• Fixed issue assign customHeaders to the map directly by @dwisiswant0 in #5445
• Fixed issue with input transformation to multi-protocol templates by @mhmdiaa in #5426
• Fixed missing close statements file.Close() & ticker.Stop() by @ShuBo6 in #5436
• Fixed nil panic by @tarunKoyalwar in #5473
• Fixed server URL path for OpenAPI parsing by @trypa11 in #5504
• Fixed unresolved interactsh-url variable with fuzzing by @RamanaReddy0M in #5289
• Fixed unresolved variables error with dast templates by @RamanaReddy0M in #5443

🔨 Maintenance

• ci: don't clean modules cache by @dwisiswant0 in #5519
• ci: use composite actions by @dwisiswant0 in #5483

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/61?closed=1

New Contributors

• @fudancoder made their first contribution in #5432
• @ShuBo6 made their first contribution in #5436
• @Jarnpher553 made their first contribution in #5419
• @mhmdiaa made their first contribution in #5426
• @alban-stourbe-wmx made their first contribution in #5409
• @mrschyte made their first contribution in #5474
• @trypa11 made their first contribution in #5504

Full Changelog: v3.3.0...v3.3.1

v3.3.0

What's Changed

🐞 Bug Fixes

• Fixed security issue with use of custom workflows by @Mzack9999 in #5318
• Fixed issue to reduce memory usage by javascript templates by @Mzack9999 in #5291
• Fixed target loading issue with -input-mode option by @RamanaReddy0M in #5369
• Fixed issue with stop-at-first-match option in headless mode with fuzzing by @RamanaReddy0M in #5330
• Fixed issue with ldap search function by @tarunKoyalwar in #5356
• Fixed issue with ExecuteWithResults function not returning expected results (SDK) by @boy-hack in #5376

Other Changes

• Added cname information in http protocol when available by @tarunKoyalwar in #5389
• Added goja function (isUDPPortOpen) to check UDP port by @RamanaReddy0M in #5397
• Added sdk option to disable update check (SDK) by @dogancanbakir in #5346
• Added support to use fs.FS when explicitly given (SDK) by @doug-threatmate in #5312
• Added timeouts config in types.Options (SDK) by @dogancanbakir in #5228
• Improved ldap output with custom type to return additional information by @tarunKoyalwar in #5387
• Improved template clustering performance by @KristinnVikar in #5319

Caution

In this release, with the changes in #5228, the following options have been removed from the CLI. They are now configured implicitly and can be customized via SDK usage.

 -dt, -dialer-timeout value  timeout for network requests.
 -rrt, -response-read-timeout value  response read timeout in seconds (default 5s)

New Contributors

• @KristinnVikar made their first contribution in #5319
• @boy-hack made their first contribution in #5376

Full Changelog: v3.2.9...v3.3.0

v3.2.9

What's Changed

🎉 New Features

• Fuzzing feature enhancements by @Ice3man543 in #5139
  • Added part: request to fuzz all the keys in request with fuzzing templates.
  • Added -fuzz-aggression CLI option to control fuzz aggression via template.
  • Added -fuzz-param-frequency option to control counter for skipping uninteresting parameter.
  • Added -display-fuzz-points option to display fuzzing points (for debugging).
• PDCP Team ID input support via environment variable to upload results into team account by @tarunKoyalwar in #5295

export PDCP_TEAM_ID=cphlrbmnr2khg33n6ik1

Note

Team ID is optional input and can be obtained from https://cloud.projectdiscovery.io/settings/team. If provided, results will be uploaded to the team account instead of your personal account.

🐞 Bug Fixes

• Fixed slow scan for hosts blocked WAF or getting timed out by @Mzack9999 in #5275
• Fixed issues with multi-thread execution by @Mzack9999 in #5187
• Fixed panic on failed raw request by @tarunKoyalwar in #5230
• Fixed ExecuteCallbackWithCtx to use the context that was provided by @doug-threatmate in #5236
• Fixed nil deref err in reporting by @dogancanbakir in #5283
• Fixed types.RequestResponse url field UnmarshalJSON by @LazyMaple in #5267
• Fixed tempalte validation by @RamanaReddy0M in #5261
• Fixed severity filter for per tracker reporting filters by @Ice3man543 in #5297

Other Changes

• Added Spanish translation of README by @MachadoOtto in #5242
• Added Japanese translation of README by @eltociear in #5259
• Added timestamp in error log (-elog) with -ts option by @oscarintherocks in #5292

New Contributors

• @doug-threatmate made their first contribution in #5236
• @MachadoOtto made their first contribution in #5242
• @eltociear made their first contribution in #5259
• @oscarintherocks made their first contribution in #5292
• @LazyMaple made their first contribution in #5267

Full Changelog: v3.2.8...v3.2.9

v3.2.8

What's Changed

🐞 Bug Fixes

• Fixed multiple bug fixes + performance improvements by @tarunKoyalwar in #5148
• Fixed more goroutine leaks by @Ice3man543 in #5188
• Fixed issue network interface selection in case of multiple interface by @Mzack9999 in #5186
• Fixed issue with ssl protocol in case of multi request by @Mzack9999 in #5203

Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/58?closed=1

Full Changelog: v3.2.7...v3.2.8

v3.2.7

What's Changed

🎉 New Features

• Added support for multiple search query in templates to run with -uncover option by @RamanaReddy0M in #5132
• Added -scan-name input support for pdcp result upload by @tarunKoyalwar in #5155

   -sname, -scan-name string  scan name to set (optional)

🐞 Bug Fixes

• Fixed race condition (panic) in host spray mode by @Mzack9999 in #5168
• Fixed a bug for multiple input with -u option by @dogancanbakir in #5147
• Fixed a bug in issue reporting with severity filter by @Ice3man543 in #5166
• Fixed a bug in pdcp result upload for results with no severity by @tarunKoyalwar in #5155

Other Changes

• Added context support in sdk by @tarunKoyalwar in #5154

Full Changelog: v3.2.6...v3.2.7