Skip to content

Releases: projectdiscovery/nuclei

v3.3.7

02 Dec 12:14
bf01be1
Compare
Choose a tag to compare

What's Changed

🎉 New Features

  • Added OS_MAX_THREADS_ENV environment variable to control the maximum number of OS threads the Go program can utilize by @dogancanbakir in #5622
  • Added -enable-global-matchersoption to control the execution of global matchers by @dwisiswant0 in #5857

🐞Bug Fixes

  • Fixed template signing signature issue caused by OS-specific line breaks (CRLF vs LF) by @tarunKoyalwar in #5869
  • Fixed trailing comma issue in JSONL exporeter by @bf-rbrown in #5861
  • Fixed template listing issue by ensuring default settings are respected by @dogancanbakir in #5846

New Contributors

Full Changelog: v3.3.6...v3.3.7

v3.3.6

21 Nov 18:54
419f08f
Compare
Choose a tag to compare

⚠️ Breaking Changes:

  • The -enable-self-contained or -esc flag is now required to load self-contained templates.
  • The -file flag must be used to enable loading file templates.

What's Changed

🎉 New Features

  • Added analyzer support and time based delay analyzer for DAST mode by @Ice3man543 in #5781

See Analyzer documentation here: https://docs.projectdiscovery.io/templates/protocols/http/fuzzing-overview#analyzer

  • Added batch output support for JSONL output format by @kchason in #5705

Configuration options for JSONL exporter:

jsonl:
 # file is the file to export found JSONL result to
 file: ""
 # omit-raw whether to exclude the raw request and response from the output
 omit-raw: false
 # batch-size the number of records to keep in memory before writing them out to the JSONL file or 0 to disable batching (default)
 batch-size: 0

Secrets can be set using ENV variables or defined with -v and -env-vars options:

Env based secret

variables:
   - key: password
     value: $PASSWORD

Config file / Flag based secrets ( using -env-vars or -vars )

variables:
     - key: password
     - value: {{password}}

🐞Bug Fixes

Other Changes

  • Disabled self-contained and file protocol templates as default by @dogancanbakir in #5825
    • -esc flag (self-contained templates) is implicitly enabled when -code flag is used.
  • Added SDK functions to improve nuclei store and workflow access by @iuliu8899 in #5766
  • Fixed typo in headless protocol error message by @dmaciejak in #5768
  • Added missing backtick in DESIGN document by @chengehe in #5789
  • Improved GitHub Auto-Merge workflow by @dwisiswant0 in #5784
  • Added SDK function to allow setting custom variables by @alban-stourbe-wmx in #5678
  • Improved GitHub workflows to run concurrently by @dwisiswant0 in #5818

New Contributors

Full Changelog: v3.3.5...v3.3.6

v3.3.5

19 Oct 12:37
8d0d288
Compare
Choose a tag to compare

What's Changed

🎉 New Features

🐞Bug Fixes

Other Changes

  • Added support to generate trace file when using -profile-mem option by @dwisiswant0 in #5690
  • Added support for -var-dump-limit to control response char limit with -svd option by @dwisiswant0 in #5676

See https://github.com/projectdiscovery/nuclei/milestone/64?closed=1 for all the issues closed in release.

New Contributors

Full Changelog: v3.3.4...v3.3.5

v3.3.4

28 Sep 15:16
Compare
Choose a tag to compare

What's Changed

  • Fixed (hopefully) skipping target list as found unresponsive erroneously by @tarunKoyalwar in #5668

Full Changelog: v3.3.3...v3.3.4

v3.3.3

26 Sep 08:37
Compare
Choose a tag to compare

What's Changed

🎉 New Features

linear:
  # api-key is the API key for the linear account
  api-key: ""
  # allow-list sets a tracker level filter to only create issues for templates with
  # these severity labels or tags (does not affect exporters. set those globally)
  deny-list:
    severity: critical
  # deny-list sets a tracker level filter to never create issues for templates with
  # these severity labels or tags (does not affect exporters. set those globally)
  deny-list:
    severity: low
  # team-id is the ID of the team in Linear
  team-id: ""
  # project-id is the ID of the project in Linear
  project-id: ""
  # duplicate-issue-check flag to enable duplicate tracking issue check
  duplicate-issue-check: false
  # open-state-id is the ID of the open state in Linear
  open-state-id: ""

See docs for more details.

   -pdu, -dashboard-upload string  upload / view nuclei results file (jsonl) in projectdiscovery cloud (pdcp) UI dashboard
 $ ./nuclei -pdu nucle_results.jsonl 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.3

		projectdiscovery.io

[INF] Uploading scan results to cloud dashboard from test
[INF] 7 Scan results uploaded to cloud, you can view scan results at https://cloud.projectdiscovery.io/scans/crqho0h1c9fs73f1rth0?team_id=none

Newly supported events:

  • waitdom
  • waitfcp
  • waitfmp
  • waitidle
  • waitstable

See docs for more details.

🐞Bug Fixes

🔨 Maintenance

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/63?closed=1

Full Changelog: v3.3.2...v3.3.3

v3.3.2

04 Sep 14:19
96203d8
Compare
Choose a tag to compare

What's Changed

🎉 New Features

  • Added ActionWaitDialog type in headless protocol to simplify XSS detection by @dwisiswant0 in #5545

See docs for more details.

🔨 Maintenance

⚠️ Security

See GitHub security advisories for detailed information.

Other Changes

New Contributors

Full Changelog: v3.3.1...v3.3.2

v3.3.1

16 Aug 15:17
8c0dd5f
Compare
Choose a tag to compare

What's Changed

🎉 New Features

Option:

   -tid, -team-id string  upload scan results to given team id (optional) (default "none")

Example:

nuclei -pt dns -u example.com -cloud-upload -team-id cqlmoalcm2sc73eut1b0

Option:

   -rd, -redact string[]  redact given list of keys from query parameter, request header and body

Example:

nuclei -pt dns -u example.com -redact api_key,x-api-key,user-agent

🐞 Bug Fixes

🔨 Maintenance

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/61?closed=1

New Contributors

Full Changelog: v3.3.0...v3.3.1

v3.3.0

17 Jul 14:26
bac9174
Compare
Choose a tag to compare

What's Changed

🐞 Bug Fixes

Other Changes

Caution

In this release, with the changes in #5228, the following options have been removed from the CLI. They are now configured implicitly and can be customized via SDK usage.

 -dt, -dialer-timeout value  timeout for network requests.
 -rrt, -response-read-timeout value  response read timeout in seconds (default 5s)

New Contributors

Full Changelog: v3.2.9...v3.3.0

v3.2.9

16 Jun 14:53
Compare
Choose a tag to compare

What's Changed

🎉 New Features

  • Fuzzing feature enhancements by @Ice3man543 in #5139
    • Added part: request to fuzz all the keys in request with fuzzing templates.
    • Added -fuzz-aggression CLI option to control fuzz aggression via template.
    • Added -fuzz-param-frequency option to control counter for skipping uninteresting parameter.
    • Added -display-fuzz-points option to display fuzzing points (for debugging).
  • PDCP Team ID input support via environment variable to upload results into team account by @tarunKoyalwar in #5295
export PDCP_TEAM_ID=cphlrbmnr2khg33n6ik1

Note

Team ID is optional input and can be obtained from https://cloud.projectdiscovery.io/settings/team. If provided, results will be uploaded to the team account instead of your personal account.

🐞 Bug Fixes

Other Changes

New Contributors

Full Changelog: v3.2.8...v3.2.9

v3.2.8

24 May 22:44
Compare
Choose a tag to compare

What's Changed

🐞 Bug Fixes

Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/58?closed=1

Full Changelog: v3.2.7...v3.2.8