diff --git a/artemis/config.py b/artemis/config.py index 582dc8716..bc561d2a5 100644 --- a/artemis/config.py +++ b/artemis/config.py @@ -481,8 +481,8 @@ class Nuclei: default=",".join( [ "http/vulnerabilities/generic/top-xss-params.yaml", + "http/vulnerabilities/generic/xss-fuzz.yaml", "http/vulnerabilities/generic/basic-xss-prober.yaml", - "/opt/artemis/modules/data/nuclei_templates_custom/xss-inside-tag-top-params.yaml", "http/vulnerabilities/generic/error-based-sql-injection.yaml", "/opt/artemis/modules/data/nuclei_templates_custom/error-based-sql-injection.yaml", ] diff --git a/artemis/modules/nuclei.py b/artemis/modules/nuclei.py index 06873e943..318b7a072 100644 --- a/artemis/modules/nuclei.py +++ b/artemis/modules/nuclei.py @@ -3,6 +3,7 @@ import os import random import subprocess +import urllib from typing import Any, Dict, List from karton.core import Task @@ -88,6 +89,10 @@ def _get_links(self, url: str) -> List[str]: links = links[: Config.Modules.Nuclei.NUCLEI_MAX_NUM_LINKS_TO_PROCESS] return links + def _strip_query_string(self, url: str) -> str: + url_parsed = urllib.parse.urlparse(url) + return urllib.parse.urlunparse(url_parsed._replace(query="", fragment="")) + def _scan(self, templates: List[str], targets: List[str]) -> List[Dict[str, Any]]: if not targets: return [] @@ -158,7 +163,10 @@ def run_multiple(self, tasks: List[Task]) -> None: links_per_task = {} links = [] for task in tasks: - links_per_task[task.uid] = self._get_links(get_target_url(task)) + links = self._get_links(get_target_url(task)) + # Let's scan both links with stripped query strings and with original one. We may catch a bug on either + # of them. + links_per_task[task.uid] = list(set(links) | set([self._strip_query_string(link) for link in links])) self.log.info("Links for %s: %s", get_target_url(task), links_per_task[task.uid]) links.extend(links_per_task[task.uid])