Releases: projectdiscovery/nuclei
v3.3.7
What's Changed
🎉 New Features
- Added
OS_MAX_THREADS_ENV
environment variable to control the maximum number of OS threads the Go program can utilize by @dogancanbakir in #5622 - Added
-enable-global-matchers
option to control the execution of global matchers by @dwisiswant0 in #5857
🐞Bug Fixes
- Fixed template signing signature issue caused by OS-specific line breaks (CRLF vs LF) by @tarunKoyalwar in #5869
- Fixed trailing comma issue in JSONL exporeter by @bf-rbrown in #5861
- Fixed template listing issue by ensuring default settings are respected by @dogancanbakir in #5846
New Contributors
- @bf-rbrown made their first contribution in #5861
Full Changelog: v3.3.6...v3.3.7
v3.3.6
⚠️ Breaking Changes:
- The
-enable-self-contained
or-esc
flag is now required to load self-contained templates. - The
-file
flag must be used to enable loading file templates.
What's Changed
🎉 New Features
- Added analyzer support and time based delay analyzer for DAST mode by @Ice3man543 in #5781
See Analyzer documentation here: https://docs.projectdiscovery.io/templates/protocols/http/fuzzing-overview#analyzer
Configuration options for JSONL exporter:
jsonl:
# file is the file to export found JSONL result to
file: ""
# omit-raw whether to exclude the raw request and response from the output
omit-raw: false
# batch-size the number of records to keep in memory before writing them out to the JSONL file or 0 to disable batching (default)
batch-size: 0
- Added ENV variable handling in dynamic secret file by @alban-stourbe-wmx in #5835
Secrets can be set using ENV variables or defined with -v
and -env-vars
options:
Env based secret
variables:
- key: password
value: $PASSWORD
Config file / Flag based secrets ( using -env-vars or -vars )
variables:
- key: password
- value: {{password}}
🐞Bug Fixes
- Fixed code protocol template execution issues by @tarunKoyalwar in #5767
- Fixed panic error in
-stats
option by @dogancanbakir in #5774 - Fixed the issue with Jira tracker related to find request by @Ice3man543 in #5798
- Fixed workflow validation logic by @dogancanbakir in #5805
- Fixed data race in
protocolstate
,contextargs
and outdated tests by @dwisiswant0 in #5820
Other Changes
- Disabled self-contained and file protocol templates as default by @dogancanbakir in #5825
-esc
flag (self-contained templates) is implicitly enabled when-code
flag is used.
- Added SDK functions to improve nuclei store and workflow access by @iuliu8899 in #5766
- Fixed typo in headless protocol error message by @dmaciejak in #5768
- Added missing backtick in DESIGN document by @chengehe in #5789
- Improved GitHub Auto-Merge workflow by @dwisiswant0 in #5784
- Added SDK function to allow setting custom variables by @alban-stourbe-wmx in #5678
- Improved GitHub workflows to run concurrently by @dwisiswant0 in #5818
New Contributors
- @dmaciejak made their first contribution in #5768
- @chengehe made their first contribution in #5789
Full Changelog: v3.3.5...v3.3.6
v3.3.5
What's Changed
🎉 New Features
- Added support for global matchers / extractors in http templates by @dwisiswant0 in #5701
- Added support for MongoDB for results reporting by @kchason in #5688
- Added support for
stop-at-first-match
in network templates by @RamanaReddy0M in #5554
🐞Bug Fixes
- Fixed an issue with
{{interactsh-url}}
replacement in network template by @RamanaReddy0M in #5677 - Fixed issue with multipart fuzzing and support for filename, content-type in multipart by @Ice3man543 in #5702
- Fixed issue to expose ssl part definitions by @dogancanbakir in #5710
- Fixed issue boolean value on successful ldap authentication by @RamanaReddy0M in #5682
- Fixed issue with LDAP metadata collection by @RamanaReddy0M in #5683
- Fixed an issue with memguard (SDK) by @dany74q in #5714
- Fixed issue with input helper (SDK) by @iuliu8899 in #5712
- Fixed an issue with template loading logic (SDK) by @dogancanbakir in #5733
Other Changes
- Added support to generate trace file when using
-profile-mem
option by @dwisiswant0 in #5690 - Added support for
-var-dump-limit
to control response char limit with-svd
option by @dwisiswant0 in #5676
See https://github.com/projectdiscovery/nuclei/milestone/64?closed=1 for all the issues closed in release.
New Contributors
- @vil02 made their first contribution in #5687
- @dany74q made their first contribution in #5714
- @iuliu8899 made their first contribution in #5712
Full Changelog: v3.3.4...v3.3.5
v3.3.4
What's Changed
- Fixed (hopefully) skipping target list as found unresponsive erroneously by @tarunKoyalwar in #5668
Full Changelog: v3.3.3...v3.3.4
v3.3.3
What's Changed
🎉 New Features
- Added linear issue tracker support by @Ice3man543 in #5601
linear:
# api-key is the API key for the linear account
api-key: ""
# allow-list sets a tracker level filter to only create issues for templates with
# these severity labels or tags (does not affect exporters. set those globally)
deny-list:
severity: critical
# deny-list sets a tracker level filter to never create issues for templates with
# these severity labels or tags (does not affect exporters. set those globally)
deny-list:
severity: low
# team-id is the ID of the team in Linear
team-id: ""
# project-id is the ID of the project in Linear
project-id: ""
# duplicate-issue-check flag to enable duplicate tracking issue check
duplicate-issue-check: false
# open-state-id is the ID of the open state in Linear
open-state-id: ""
See docs for more details.
- Added support to upload nuclei existing scan results to dashboard by @RamanaReddy0M in #5603
-pdu, -dashboard-upload string upload / view nuclei results file (jsonl) in projectdiscovery cloud (pdcp) UI dashboard
$ ./nuclei -pdu nucle_results.jsonl
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.3
projectdiscovery.io
[INF] Uploading scan results to cloud dashboard from test
[INF] 7 Scan results uploaded to cloud, you can view scan results at https://cloud.projectdiscovery.io/scans/crqho0h1c9fs73f1rth0?team_id=none
- Added support for additional headless lifecycle events by @dwisiswant0 in #5632
Newly supported events:
- waitdom
- waitfcp
- waitfmp
- waitidle
- waitstable
See docs for more details.
🐞Bug Fixes
- Fixed issue with
max-host-error
withconcurrency
by @dwisiswant0 in #5633 - Fixed issue with parsing OpenAPI http security schemes on empty values by @RamanaReddy0M in #5606
- Fixed loading dynamic auth templates with fuzzing by @RamanaReddy0M in #5646
- Fixed issue with MySQL connection with special characters in password by @RamanaReddy0M in #5604
- Fixed issue with
WithProxy
err by @dogancanbakir in #5626 - Fixed missing
template_url
for signed templates by @RamanaReddy0M in #5644 - Fixed nil pointer error with
addCNameIfAvailable
from using closedDialer
by @dwisiswant0 in #5665 - Fixed issue in event generation using
-ms
option with clustering by @Ice3man543 in #5653 - Fixed issue with Input Clone when the workflow execution forks by @tovask in #5621
- Fixed failing integration tests by @RamanaReddy0M in #5647
🔨 Maintenance
- Added support for
fs.FS
in template parsing by @doug-threatmate in #5421
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/63?closed=1
Full Changelog: v3.3.2...v3.3.3
v3.3.2
What's Changed
🎉 New Features
- Added
ActionWaitDialog
type in headless protocol to simplify XSS detection by @dwisiswant0 in #5545
See docs for more details.
🔨 Maintenance
- Migrated issue template to issue form by @dwisiswant0 in #5538
- Upgraded gitlab api version by @AdallomRoy in #5551
⚠️ Security
- Fixed security issue in template
signer
package by @GuyGoldenberg @dogancanbakir @Mzack9999 in 0da993a
See GitHub security advisories for detailed information.
Other Changes
- Added jira config to accept issue-type id and project id as optional input by @Ice3man543 in #5537
- Fixed issue with
-ms
option to scan non accessible host by @dogancanbakir in #5576 - Fixed race condition issue by @dogancanbakir in #5547
- Fixed panic in list input with dast option by @dwisiswant0 in #5558
New Contributors
- @AdallomRoy made their first contribution in #5551
- @PeterDaveHello made their first contribution in #5578
- @linchizhen made their first contribution in #5586
Full Changelog: v3.3.1...v3.3.2
v3.3.1
What's Changed
🎉 New Features
- Added
team-id
option to upload results to specific team workspace by @RamanaReddy0M in #5523
Option:
-tid, -team-id string upload scan results to given team id (optional) (default "none")
Example:
nuclei -pt dns -u example.com -cloud-upload -team-id cqlmoalcm2sc73eut1b0
- Added redaction support in output file by @dogancanbakir in #5463
Option:
-rd, -redact string[] redact given list of keys from query parameter, request header and body
Example:
nuclei -pt dns -u example.com -redact api_key,x-api-key,user-agent
- Added support for multiple auth strategies per target from secret file by @RamanaReddy0M in #5500
- Added support to generate matcher-status event for javascript protocol by @tarunKoyalwar in #5450
- Added workflows in SDK example by @alban-stourbe-wmx in #5409
- Added
skip-secret-file
template attribute to disable auth per template by @dwisiswant0 in #5522
🐞 Bug Fixes
- Fixed
FileAuthProvider
stores the same strategy for each entry by @mrschyte in #5474 - Fixed circular references in OpenAPI parsing(fuzzing) by @trypa11 in #5491
- Fixed file protocol missing vars in flow & multi-protocol by @tarunKoyalwar in #5480
- Fixed issue assign
customHeaders
to the map directly by @dwisiswant0 in #5445 - Fixed issue with input transformation to multi-protocol templates by @mhmdiaa in #5426
- Fixed missing close statements
file.Close()
&ticker.Stop()
by @ShuBo6 in #5436 - Fixed nil panic by @tarunKoyalwar in #5473
- Fixed server URL path for OpenAPI parsing by @trypa11 in #5504
- Fixed unresolved
interactsh-url
variable with fuzzing by @RamanaReddy0M in #5289 - Fixed unresolved variables error with dast templates by @RamanaReddy0M in #5443
🔨 Maintenance
- ci: don't clean modules cache by @dwisiswant0 in #5519
- ci: use composite actions by @dwisiswant0 in #5483
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/61?closed=1
New Contributors
- @fudancoder made their first contribution in #5432
- @ShuBo6 made their first contribution in #5436
- @Jarnpher553 made their first contribution in #5419
- @mhmdiaa made their first contribution in #5426
- @alban-stourbe-wmx made their first contribution in #5409
- @mrschyte made their first contribution in #5474
- @trypa11 made their first contribution in #5504
Full Changelog: v3.3.0...v3.3.1
v3.3.0
What's Changed
🐞 Bug Fixes
- Fixed security issue with use of custom workflows by @Mzack9999 in #5318
- Fixed issue to reduce memory usage by javascript templates by @Mzack9999 in #5291
- Fixed target loading issue with
-input-mode
option by @RamanaReddy0M in #5369 - Fixed issue with
stop-at-first-match
option in headless mode with fuzzing by @RamanaReddy0M in #5330 - Fixed issue with ldap search function by @tarunKoyalwar in #5356
- Fixed issue with
ExecuteWithResults
function not returning expected results (SDK) by @boy-hack in #5376
Other Changes
- Added
cname
information in http protocol when available by @tarunKoyalwar in #5389 - Added goja function (
isUDPPortOpen
) to check UDP port by @RamanaReddy0M in #5397 - Added sdk option to disable update check (SDK) by @dogancanbakir in #5346
- Added support to use
fs.FS
when explicitly given (SDK) by @doug-threatmate in #5312 - Added timeouts config in
types.Options
(SDK) by @dogancanbakir in #5228 - Improved ldap output with custom type to return additional information by @tarunKoyalwar in #5387
- Improved template clustering performance by @KristinnVikar in #5319
Caution
In this release, with the changes in #5228, the following options have been removed from the CLI. They are now configured implicitly and can be customized via SDK usage.
-dt, -dialer-timeout value timeout for network requests.
-rrt, -response-read-timeout value response read timeout in seconds (default 5s)
New Contributors
- @KristinnVikar made their first contribution in #5319
- @boy-hack made their first contribution in #5376
Full Changelog: v3.2.9...v3.3.0
v3.2.9
What's Changed
🎉 New Features
- Fuzzing feature enhancements by @Ice3man543 in #5139
- Added
part: request
to fuzz all the keys in request with fuzzing templates. - Added
-fuzz-aggression
CLI option to control fuzz aggression via template. - Added
-fuzz-param-frequency
option to control counter for skipping uninteresting parameter. - Added
-display-fuzz-points
option to display fuzzing points (for debugging).
- Added
- PDCP Team ID input support via environment variable to upload results into team account by @tarunKoyalwar in #5295
export PDCP_TEAM_ID=cphlrbmnr2khg33n6ik1
Note
Team ID is optional input and can be obtained from https://cloud.projectdiscovery.io/settings/team. If provided, results will be uploaded to the team account instead of your personal account.
🐞 Bug Fixes
- Fixed slow scan for hosts blocked WAF or getting timed out by @Mzack9999 in #5275
- Fixed issues with multi-thread execution by @Mzack9999 in #5187
- Fixed panic on failed raw request by @tarunKoyalwar in #5230
- Fixed
ExecuteCallbackWithCtx
to use the context that was provided by @doug-threatmate in #5236 - Fixed nil deref err in reporting by @dogancanbakir in #5283
- Fixed
types.RequestResponse
url fieldUnmarshalJSON
by @LazyMaple in #5267 - Fixed tempalte validation by @RamanaReddy0M in #5261
- Fixed severity filter for per tracker reporting filters by @Ice3man543 in #5297
Other Changes
- Added Spanish translation of README by @MachadoOtto in #5242
- Added Japanese translation of README by @eltociear in #5259
- Added timestamp in error log (
-elog
) with-ts
option by @oscarintherocks in #5292
New Contributors
- @doug-threatmate made their first contribution in #5236
- @MachadoOtto made their first contribution in #5242
- @eltociear made their first contribution in #5259
- @oscarintherocks made their first contribution in #5292
- @LazyMaple made their first contribution in #5267
Full Changelog: v3.2.8...v3.2.9
v3.2.8
What's Changed
🐞 Bug Fixes
- Fixed multiple bug fixes + performance improvements by @tarunKoyalwar in #5148
- Fixed more goroutine leaks by @Ice3man543 in #5188
- Fixed issue network interface selection in case of multiple interface by @Mzack9999 in #5186
- Fixed issue with ssl protocol in case of multi request by @Mzack9999 in #5203
Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/58?closed=1
Full Changelog: v3.2.7...v3.2.8