Negative directive in the template matcher seems to not work with the case-insensitive directive #5169
Labels
Type: Bug
Inconsistencies or issues which will cause an issue or problem for users or implementors.
Nuclei version: v3.2.4
Current Behavior:
Nuclei fails to match on a finding when the case-insensitive directive and the negative directive are used together.
For example, the cookies-without-httponly-secure matcher should only identify endpoints that lack both httponly and secure but the strings they match on have different cases depending on the web server. I observed this issue in the wild so attempted to modify the template to use case-insensitivity with negative but it does not appear to work.
Expected Behavior:
The expected behavior is that this template will only return a positive finding if both httponly and secure exist in the set-cookie directive but do to case variations of web servers, this is not always a match. Attempting to add the case-insensitive directive did not work.
I have to build a template like this to properly handle the potentials and this still doesn't cover some crazy edge case.
The text was updated successfully, but these errors were encountered: