From 03d27cf31c42acf126e695c2ba8fb702e23610ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?= <brousek@ics.muni.cz>
Date: Thu, 14 Mar 2024 14:50:08 +0100
Subject: [PATCH] feat: headless template
---
README.md | 4 +-
nuclei-templates/saml-headless.yaml | 71 +++++++++++++++++++++++++++++
nuclei-templates/saml-raw.yaml | 4 +-
3 files changed, 75 insertions(+), 4 deletions(-)
create mode 100644 nuclei-templates/saml-headless.yaml
diff --git a/README.md b/README.md
index 8c35b77..d3e8cf5 100644
--- a/README.md
+++ b/README.md
@@ -38,14 +38,14 @@ Then you need to connect SPs to the conformance IdP (exchange metadata), so that
Run against one target:
```sh
-nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
+nuclei --headless -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
-duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30
```
or using docker:
```sh
-docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
+docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "ENTITY_ID=ENTITY_ID_HERE" -V "AUTHORIZATION=AUTHORIZATION_HERE" \
-duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30
```
diff --git a/nuclei-templates/saml-headless.yaml b/nuclei-templates/saml-headless.yaml
new file mode 100644
index 0000000..4cb596a
--- /dev/null
+++ b/nuclei-templates/saml-headless.yaml
@@ -0,0 +1,71 @@
+id: saml-headless-all
+info:
+ name: SAML signature validation
+ author: T&I Incubator, GÉANT
+ severity: high
+ tags: saml,headless
+variables:
+ AUTHORIZATION: "Bearer abcd...789"
+ CONFORMANCE_IDP_HOSTNAME: conformance-idp.maiv1.incubator.geant.org
+ RESULT_OUTPUT_DIR: ""
+ FILENAME: '{{date_time("%Y-%M-%D_%H-%m-%s")}}-{{replace_regex(BaseURL,"(\\W+)","_")}}'
+ TEST_CASES:
+ - noSignature
+ - invalidSignature
+ TEST_CASE: standardResponse # default
+
+# first test standard response, then each test case
+flow: |
+ headless();
+ set("VALID_STATUS_CODE", template["http_status_code"]);
+ set("VALID_BODY", template["http_body"]);
+ for (let testcase of iterate(template["TEST_CASES"])) {
+ set("TEST_CASE", testcase);
+ headless();
+ }
+
+headless:
+ - steps:
+ - action: setheader
+ args:
+ part: request
+ key: Authorization
+ value: "{{AUTHORIZATION}}"
+ - action: navigate
+ args:
+ url: "https://{{CONFORMANCE_IDP_HOSTNAME}}/module.php/conformance/test/setup?testId={{url_encode(TEST_CASE)}}&spEntityId={{url_encode(ENTITY_ID)}}"
+ - action: waitload
+ - action: navigate
+ args:
+ url: "https://{{CONFORMANCE_IDP_HOSTNAME}}/saml2/idp/SSOService.php?spentityid={{url_encode(ENTITY_ID)}}&ConsumerURL={{url_encode(BaseURL)}}"
+ - action: waitload
+ - action: screenshot
+ args:
+ fullpage: "true"
+ mkdir: "true"
+ to: '{{RESULT_OUTPUT_DIR}}{{TEST_CASE}}-{{FILENAME}}'
+ matchers:
+ - type: dsl
+ dsl:
+ # ignore the happy case
+ - '!contains(TEST_CASE, "standardResponse")'
+ # does not work yet, nuclei does not expose the correct values for matchers
+ #- 'status_code == 200 || status_code == 301 || status_code == 302'
+ condition: and
+ # not usable, matches every time
+ #- type: status
+ #status:
+ #- 200
+ #- 301
+ #- 302
+ - type: word
+ part: resp
+ negative: true
+ words:
+ - error
+ - exception
+ matchers-condition: and
+ extractors:
+ - type: dsl
+ dsl:
+ - 'TEST_CASE'
diff --git a/nuclei-templates/saml-raw.yaml b/nuclei-templates/saml-raw.yaml
index 28124b1..8c8adba 100644
--- a/nuclei-templates/saml-raw.yaml
+++ b/nuclei-templates/saml-raw.yaml
@@ -1,9 +1,9 @@
-id: samlsignaturevalidation
+id: saml-raw-all
info:
name: SAML signature validation
author: T&I Incubator, GÉANT
severity: high
- tags: saml
+ tags: saml,raw
variables:
AUTHORIZATION: "Bearer abcd...789"
CONFORMANCE_IDP_HOSTNAME: conformance-idp.maiv1.incubator.geant.org
--
GitLab