v2.9.9 (Security Update)

What's Changed

🎉 Features

• Added env variable support to disable automatic template update from specifc source (#3705) by @kchason in #3926

export DISABLE_NUCLEI_TEMPLATES_PUBLIC_DOWNLOAD=true # Disable download from the default nuclei-templates project
export DISABLE_NUCLEI_TEMPLATES_GITHUB_DOWNLOAD=true # Disable download from public / private GitHub project(s)
export DISABLE_NUCLEI_TEMPLATES_GITLAB_DOWNLOAD=true # Disable download from public / private GitLab project(s)
export DISABLE_NUCLEI_TEMPLATES_AWS_DOWNLOAD=true # Disable download from public / private AWS Bucket(s)
export DISABLE_NUCLEI_TEMPLATES_AZURE_DOWNLOAD=true # Disable download from public / private Azure Blob Storage

• Added helper function to calculate jarm hash by @Mzack9999 in #3906

{{jarm("1.1.1.1:443")}}

• Added support for disable-path-automerge in unsafe mode by @RamanaReddy0M in #3888
• Added request/reponse in include in result as default by @kchason in #3710
• Added epss-percentile attribute template classification section by @ehsandeep in #3911

  classification:
    epss-percentile: 0.00064

• Added option to optionally exclude request/reponse in results by @kchason in #3710

   -or, -omit-raw  omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)

• Added automatic target merge in network templates by @Mzack9999 in #3904

🐞 Bugs

• Fixed issue in workflow concurrency by @Mzack9999 in #3903

🔨 Maintenance

• Fixed issue in the payload generator by @tarunKoyalwar in #3918

🔨 Other Changes

• Added ztls fallback support as default for tls connection by @tarunKoyalwar in #3909

⚠️ Security (breaking change)

• Fixed issue with payloads loading in sandbox mode by @Mzack9999 in #3927
• Disabled payload loading from arbitrary location as default by @Ice3man543 in #3927
• Added option to disable network connection to local / private by @Ice3man543 in #3927

   -lfa, -allow-local-file-access        allows file (payload) access anywhere on the system
   -lna, -restrict-local-network-access  blocks connections to the local / private network

🔨 Deprecated

• -sandbox option (now brokedown into two new option -lfa, -lna)
• -irr, -include-rr option (now enabled as default)

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/36?closed=1

Full Changelog: v2.9.8...v2.9.9

v2.9.8

What's Changed

🐞 Bugs

• Fixed issue to preserve the order of query parameters by @tarunKoyalwar in #3887
• Fixed with network connection read and write deadline by @praetorian-thendrickson in #3845
• Fixed issue with showing multiple matches per template with -ms option by @RamanaReddy0M in #3770

New Contributors

• @praetorian-thendrickson made their first contribution in #3845

Full Changelog: v2.9.7...v2.9.8

v2.9.7

What's Changed

🎉 Features

• Added tls client hello (ja3) randomization by @Mzack9999 in #3844

   -tlsi, -tls-impersonate  enable experimental client hello (ja3) tls randomization

• Added query fuzzing support in headless protocol by @ShubhamRasal in #3790
• Added cookie reuse in workflow for headless template by @Mzack9999 in #3850
• Added header and status matchers to headless protocol by @dogancanbakir in #3794
• Added {{public_ip()}} helper function by @Mzack9999 in #3853
• Added template option (disable-path-automerge: true) to disable path automerge in raw request by @RamanaReddy0M in #3799

🐞 Bugs

• Fixed issue with tls protocol causing scan to stuck by @ehsandeep in #3792
• Fixed panic: runtime error by @Mzack9999 in #3816
• Fixed issue in file protocol with matchers and condition by @Mzack9999 in #3820
• Fixed output path in unsafe mode by @ehsandeep in #3831
• Fixed rendering issues with markdown and jira exporter by @forgedhallpass in #3849
• Fixed issue custom client certificate input by @Mzack9999 in #3851

🔨 Maintenance

• Added better debug message formatting by @Mzack9999 in #3859
• Fixed deprecatedProtocolNameTemplates concurrent map writes by @cn-kali-team in #3785
• Enabled -no-httpx implicitly when -passive scan is launched by @dogancanbakir in #3789

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/34?closed=1

New Contributors

• @Weltolk made their first contribution in #3843

Full Changelog: v2.9.6...v2.9.7

v2.9.6

What's Changed

🐞 Bug Fixes

• Fixed issue with uncover config loader by @tarunKoyalwar in #3773
• Fixed issue with template update option by @tarunKoyalwar in #3769

🚨 Breaking Change

• Fixed typo by @kchason in #3760 (breaking change for using as SDK)

🔨 Maintenance

• Updated TCP protocol by @Mzack9999 in #3546

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/33?closed=1

Full Changelog: v2.9.5...v2.9.6

v2.9.5

What's Changed

• Added payloads support in dns protocol by @ShubhamRasal in #3632
• Added any type query support in dns protocol by @ehsandeep in #3644
• Added support for constants by @Mzack9999 in #3692
• Added utility to write max-requests counter to templates by @RamanaReddy0M in #3607
• Fixed memory leak (high memory uses) by @ShubhamRasal in #3676
• Fixed issue with interactsh (probably evicted due to inactivity) by @Mzack9999 in #3680
• Fixed issue with removing semicolon from raw request by @RamanaReddy0M in #3650
• Fixed typos by @kchason in #3704
• Fixed oob ruleindex by @dogancanbakir in #3738
• Fixed updates to docs references by @olearycrew in #3718
• Updated uncover integreation logic by @tarunKoyalwar in #3663
• Removed .yml extension support for template input as URL by @Mzack9999 in #3745

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/31?closed=1

New Contributors

• @olearycrew made their first contribution in #3718

Full Changelog: v2.9.4...v2.9.5

v2.9.4

What's Changed

• Added option for nuclei templates / config reset by @tarunKoyalwar in #3675

   -reset  reset removes all nuclei configuration and data files (including nuclei-templates)

Full Changelog: v2.9.3...v2.9.4

v2.9.3 (bugfix release)

What's Changed

• Added support to expose DNS response as dsl field by @ShubhamRasal in #3613
• Added support to filter templates based on classification by @iamargus95 in #3606
• Added check to make severity as a mandatory field by @dogancanbakir in #3540
• Added support to load templates deprecated path by @tarunKoyalwar in #3635
• Added warning message for templates loaded by deprecated template path by @tarunKoyalwar in #3635
• Added warning message for templates loaded with deprecated protocol syntax by @tarunKoyalwar in #3635
• Added option to save extractor result to file by @tarunKoyalwar in #3608
• Fixed nil pointer crash in interactsh client by @Mzack9999 in #3590
• Fixed crash with tlsx integration by @ehsandeep in #3620
• Fixed crash with no-interactsh option by @ehsandeep in #3621
• Fixed panic while parsing tlsx response by @tarunKoyalwar in #3641
• Fixed issue with params in self-contained template by @tarunKoyalwar in #3608
• Fixed issue with aws signer by @tarunKoyalwar in #3601
• Fixed issue with os permission check by @iamargus95 in #3631
• Fixed issue with no color in windows by @ehsandeep in #3634
• Fixed issue with variables evaluation by @ShubhamRasal in #3599
• Fixed issue to support headless template on OpenBSD by @lu4nx in #3637

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/30

New Contributors

• @MetzinAround made their first contribution in #3579
• @iamargus95 made their first contribution in #3606
• @lu4nx made their first contribution in #3637

Full Changelog: v2.9.2...v2.9.3

v2.9.2

What's Changed

• Added llm_prompt as dsl helper by @Mzack9999 in #3480

llm_prompt("what tech this server is using? return idk if you dont know" + header)

• Added azure blob storage support for custom template download by @kchason in #3542
• Added gitlab project support for custom template download by @kchason in #3570
• Added CPE / EPSS Score information to cve-annotation by @sduc in #3486
• Added variable evaluation support in payloads & variables by @ShubhamRasal in #3503
• Added config management + logic refactor by @tarunKoyalwar in #3567
• Added JSONL(ine) Export (#3504) by @kchason in #3505

   -je, -json-export string  file to export results in JSON format

• Fixed bug in http race condition logic by @ShubhamRasal in #3533
• Fixed s3 argument typos by @kchason in #3536
• Fixed integration test by @tarunKoyalwar in #3506
• Fixed rate limit options not working with query fuzzing by @RamanaReddy0M in #3532
• Fixed panic crash in tlsx by @ehsandeep in #3554
• Fixed panic with proxy input by @tarunKoyalwar in #3526
• Updated -nc option by @dogancanbakir in #3539
• Updated ccache with generic gcache by @Mzack9999 in #3523
• Updated -un option to -up as a short flag of self-update option by @ehsandeep in #3573

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/29?closed=1

New Contributors

• @sduc made their first contribution in #3486
• @dogancanbakir made their first contribution in #3539

Full Changelog: v2.9.1...v2.9.2

v2.9.1

Breaking Changes:

⚠️ Updated -json option to -jsonl to correctly reflect the output format by @kchason in #3466

   -j, -jsonl  write output in JSONL(ines) format

⚠️ Updated protocol attribute name (requests=> http & network => tcp) in templates by @ShubhamRasal in #3425

Templates with the use of requests and network will still work but will be deprecated completely in the future.

What's New

• Added JSON output export support (-json-export) by @kchason in #3466

   -je, -json-export string  file to export results in JSON format

• Added cpe and epss-score support in template classification by @ehsandeep in #3489
• Added mkdir support in headless screenshot by @tarunKoyalwar in #3457
• Added support for jira custom fields by @jordanpotti in #3406
• Added AWS catalog for loading templates from bucket by @leoloobeek in #3372
• Fixed a crash in tlsx integration by @ehsandeep in #3490
• Fixed template link references by @mlec1 in #3485
• Fixed an issue with the scanning strategy option by @nHurD in #3464
• Fixed AWS S3 bucket catalog path mismatch by @tarunKoyalwar in #3474
• Moved DSL helper functions to dsl project by @RamanaReddy0M in #3461

Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/28?closed=1

New Contributors

• @jordanpotti made their first contribution in #3406
• @nHurD made their first contribution in #3464
• @leoloobeek made their first contribution in #3372
• @mlec1 made their first contribution in #3485

Full Changelog: v2.9.0...v2.9.1

v2.9.0

What's Changed

• Added support for templates in JSON format by @CodFrm in #3333
• Added template sign/verify functionality by @Mzack9999 in #3029
• Added -track-error option to add custom errors to max-host-error watch list by @austintraver in #3399
• Added data race panic check in integration_tests by @tarunKoyalwar in #3303
• Added CLI option to override fuzzing template options by @ShubhamRasal in #3355
• Added ip_formats() helper function by @xm1k3 in #3286
• Added resolve() helper function by @xm1k3 in #3321
• Added rawstringslice to make reference url case insensitive by @Bisstocuz in #3346
• Fixed a bug with OR matcher condition with interactsh by @RamanaReddy0M in #3397
• Fixed set-method option in headless template by @Mzack9999 in #3373
• Fixed atomic bool check by @Mzack9999 in #3376
• Fixed bug in URL path and adds integration tests by @tarunKoyalwar in #3331
• Fixed crash with interactsh integration by @Mzack9999 in #3312
• Fixed data race when using interactsh_matchers by @tarunKoyalwar in #3432
• Fixed file input in custom vars with self-contained http template by @tarunKoyalwar in #3385
• Fixed missing port in matched ssl templates by @tarunKoyalwar in #3380
• Fixed nil pointer reference + use map helper by @Mzack9999 in #3421
• Fixed parseUrl test by @ShubhamRasal in #3426
• Fixed typo in -hc option by @sullo in #3400

Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/27

New Contributors

• @noraj made their first contribution in #3162
• @Bisstocuz made their first contribution in #3346
• @CodFrm made their first contribution in #3333
• @austintraver made their first contribution in #3399
• @RamanaReddy0M made their first contribution in #3397

Full Changelog: v2.8.9...v2.9.0