Skip to content

[BUG] Authenticated scans fail when redirects are enabled #6231

New issue
New issue
Open
Bug
#6449
Open
[BUG] Authenticated scans fail when redirects are enabled#6231
Bug
#6449
Assignees
dwisiswant0
Labels
Type: BugInconsistencies or issues which will cause an issue or problem for users or implementors.
@umbernhard

Description

@umbernhard
umbernhard
opened on May 17, 2025

Is there an existing issue for this?

  • I have searched the existing issues.

Current Behavior

If I use the following login template for dynamic authenticated login, it works fine when redirects are turned off. However, when I enable redirects (via -fr), it fails, even though AFAICT it is successfully extracting the cookie I need (see the logs below).

The way this page works, once the login creds are POST'd, a 302 is issued with the cookie, and then the user is redirected to another page ending with a 200. Looking at the debug output (see below), nuclei is reporting that the 200 response is getting sent before the 302, which doesn't make any sense to me, and makes me wonder if this issue is possibly related to #5171.

I messed around with the DLS response ordering too, to no avail (i.e. checking for the cookie in header_1 in addition to header.

I also tried disabling redirects in the template itself via the redirect: false, but I think -fr overrides that?

Expected Behavior

I expect that redirects wouldn't impact whether the dynamic login script works or not.

Steps To Reproduce

Template:

id: login
info:
  name:  login script
  author: umbernhard
  severity: info
  tags: login

http:
  - raw:
      - |
        GET /login/Admin/Account/Login HTTP/2
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: token
        part: body
        internal: true
        group: 1
        regex:
          - '<input name="__RequestVerificationToken" type="hidden" value="(.*?)" />'
  - raw:
      - |
        POST /login/Admin/Account/Login HTTP/2
        Host: {{Hostname}}

        ReturnUrl=&Email={{url_encode(email)}}&Password={{password}}&button=login&__RequestVerificationToken={{token}}

    matchers:
      # The first load is the redirect
      - type: dsl
        dsl:
          - "contains((header), '__Host-ev-app-auth')"
    extractors:
      - type: regex
        name: ev-app-auth
        part: header
        group: 1
        regex:
          - "Set-Cookie: __Host-ev-app-auth=(.*?); max-age=1800; path=/; secure; samesite=lax; httponly"

Invocation that works:

nuclei -u https://<hostname> -sf secrets.yaml

Invocation that doesn't work:

nuclei -u https://<hostname> -sf secrets.yaml -fr

Relevant log output

__     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.4

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.4.4 (latest)
[INF] Current nuclei-templates version: v10.2.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 42
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [login] Dumped HTTP request for <hostname>

GET /login/Admin/Account/Login HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[VER] [login] Sent HTTP request to <hostname>
[DBG] [login] Dumped HTTP response <hostname>

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store
Content-Type: text/html; charset=utf-8
Cross-Origin-Embedder-Policy: unsafe-none
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Sat, 17 May 2025 20:22:06 GMT
Permissions-Policy: microphone=(), geolocation=()
Pragma: no-cache
Referrer-Policy: no-referrer
Set-Cookie: {{token}}; path=/login; secure; samesite=strict; httponly
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ev-Fd: 1
X-Frame-Options: SAMEORIGIN

...login page contents...

[INF] [login] Dumped HTTP request for <hostname>
POST /login/Admin/Account/Login HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Connection: close
Content-Length: 278
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: {{token}}
Origin: null
Priority: u=0, i
Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1

ReturnUrl=&Email={{email}}&Password={{password}}&button=login&__RequestVerificationToken={{token}}
[VER] [login] Sent HTTP request to <hostname>
[DBG] [login] Dumped HTTP response <hostname>

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store
Content-Type: text/html; charset=utf-8
Cross-Origin-Embedder-Policy: unsafe-none
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Sat, 17 May 2025 20:22:07 GMT
Permissions-Policy: microphone=(), geolocation=()
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ev-Fd: 1
X-Frame-Options: SAMEORIGIN

....request body (it's an HTML page)

[DBG] [login] Dumped HTTP response <hostname>

HTTP/1.1 302 Found
Connection: close
Content-Length: 0
Cache-Control: no-cache,no-store
Cross-Origin-Embedder-Policy: unsafe-none
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Sat, 17 May 2025 20:22:07 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: /login/Admin/ProductDashboard
Permissions-Policy: microphone=(), geolocation=()
Pragma: no-cache
Referrer-Policy: no-referrer
Set-Cookie: __Host-ev-app-auth=<cookie-value>; max-age=1800; path=/; secure; samesite=lax; httponly
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ev-Fd: 1

[login:hascookie] [http] [info] <hostname> ["<cookie-value"]
[FTL] Could not fetch dynamic secret: no result found for template: login.yaml

Environment

- OS: MacOS
- Nuclei: 3.4.4
- Go: N/A (installed via homebrew)

Anything else?

No response

Metadata

Metadata

Assignees

Labels

Type: BugInconsistencies or issues which will cause an issue or problem for users or implementors.

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions