Releases: projectdiscovery/nuclei
v2.9.9 (Security Update)
What's Changed
🎉 Features
- Added env variable support to disable automatic template update from specifc source (#3705) by @kchason in #3926
export DISABLE_NUCLEI_TEMPLATES_PUBLIC_DOWNLOAD=true # Disable download from the default nuclei-templates project
export DISABLE_NUCLEI_TEMPLATES_GITHUB_DOWNLOAD=true # Disable download from public / private GitHub project(s)
export DISABLE_NUCLEI_TEMPLATES_GITLAB_DOWNLOAD=true # Disable download from public / private GitLab project(s)
export DISABLE_NUCLEI_TEMPLATES_AWS_DOWNLOAD=true # Disable download from public / private AWS Bucket(s)
export DISABLE_NUCLEI_TEMPLATES_AZURE_DOWNLOAD=true # Disable download from public / private Azure Blob Storage
- Added helper function to calculate jarm hash by @Mzack9999 in #3906
{{jarm("1.1.1.1:443")}}
- Added support for
disable-path-automerge
in unsafe mode by @RamanaReddy0M in #3888 - Added request/reponse in include in result as default by @kchason in #3710
- Added
epss-percentile
attribute template classification section by @ehsandeep in #3911
classification:
epss-percentile: 0.00064
-or, -omit-raw omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
- Added automatic target merge in network templates by @Mzack9999 in #3904
🐞 Bugs
- Fixed issue in workflow concurrency by @Mzack9999 in #3903
🔨 Maintenance
- Fixed issue in the payload generator by @tarunKoyalwar in #3918
🔨 Other Changes
- Added ztls fallback support as default for tls connection by @tarunKoyalwar in #3909
⚠️ Security (breaking change)
- Fixed issue with payloads loading in sandbox mode by @Mzack9999 in #3927
- Disabled payload loading from arbitrary location as default by @Ice3man543 in #3927
- Added option to disable network connection to local / private by @Ice3man543 in #3927
-lfa, -allow-local-file-access allows file (payload) access anywhere on the system
-lna, -restrict-local-network-access blocks connections to the local / private network
🔨 Deprecated
-sandbox
option (now brokedown into two new option-lfa
,-lna
)-irr, -include-rr
option (now enabled as default)
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/36?closed=1
Full Changelog: v2.9.8...v2.9.9
v2.9.8
What's Changed
🐞 Bugs
- Fixed issue to preserve the order of query parameters by @tarunKoyalwar in #3887
- Fixed with network connection read and write deadline by @praetorian-thendrickson in #3845
- Fixed issue with showing multiple matches per template with
-ms
option by @RamanaReddy0M in #3770
New Contributors
- @praetorian-thendrickson made their first contribution in #3845
Full Changelog: v2.9.7...v2.9.8
v2.9.7
What's Changed
🎉 Features
- Added tls client hello (ja3) randomization by @Mzack9999 in #3844
-tlsi, -tls-impersonate enable experimental client hello (ja3) tls randomization
- Added query fuzzing support in headless protocol by @ShubhamRasal in #3790
- Added cookie reuse in workflow for headless template by @Mzack9999 in #3850
- Added
header
andstatus
matchers to headless protocol by @dogancanbakir in #3794 - Added
{{public_ip()}}
helper function by @Mzack9999 in #3853 - Added template option (
disable-path-automerge: true
) to disable path automerge in raw request by @RamanaReddy0M in #3799
🐞 Bugs
- Fixed issue with tls protocol causing scan to stuck by @ehsandeep in #3792
- Fixed
panic: runtime error
by @Mzack9999 in #3816 - Fixed issue in file protocol with matchers and condition by @Mzack9999 in #3820
- Fixed output path in unsafe mode by @ehsandeep in #3831
- Fixed rendering issues with markdown and jira exporter by @forgedhallpass in #3849
- Fixed issue custom client certificate input by @Mzack9999 in #3851
🔨 Maintenance
- Added better debug message formatting by @Mzack9999 in #3859
- Fixed
deprecatedProtocolNameTemplates
concurrent map writes by @cn-kali-team in #3785 - Enabled
-no-httpx
implicitly when-passive
scan is launched by @dogancanbakir in #3789
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/34?closed=1
New Contributors
Full Changelog: v2.9.6...v2.9.7
v2.9.6
What's Changed
🐞 Bug Fixes
- Fixed issue with uncover config loader by @tarunKoyalwar in #3773
- Fixed issue with template update option by @tarunKoyalwar in #3769
🚨 Breaking Change
🔨 Maintenance
- Updated TCP protocol by @Mzack9999 in #3546
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/33?closed=1
Full Changelog: v2.9.5...v2.9.6
v2.9.5
What's Changed
- Added payloads support in dns protocol by @ShubhamRasal in #3632
- Added
any
type query support in dns protocol by @ehsandeep in #3644 - Added support for constants by @Mzack9999 in #3692
- Added utility to write
max-requests
counter to templates by @RamanaReddy0M in #3607 - Fixed memory leak (high memory uses) by @ShubhamRasal in #3676
- Fixed issue with interactsh (probably evicted due to inactivity) by @Mzack9999 in #3680
- Fixed issue with removing semicolon from raw request by @RamanaReddy0M in #3650
- Fixed typos by @kchason in #3704
- Fixed oob ruleindex by @dogancanbakir in #3738
- Fixed updates to docs references by @olearycrew in #3718
- Updated uncover integreation logic by @tarunKoyalwar in #3663
- Removed
.yml
extension support for template input as URL by @Mzack9999 in #3745
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/31?closed=1
New Contributors
- @olearycrew made their first contribution in #3718
Full Changelog: v2.9.4...v2.9.5
v2.9.4
What's Changed
- Added option for nuclei templates / config reset by @tarunKoyalwar in #3675
-reset reset removes all nuclei configuration and data files (including nuclei-templates)
Full Changelog: v2.9.3...v2.9.4
v2.9.3 (bugfix release)
What's Changed
- Added support to expose DNS response as dsl field by @ShubhamRasal in #3613
- Added support to filter templates based on classification by @iamargus95 in #3606
- Added check to make
severity
as a mandatory field by @dogancanbakir in #3540 - Added support to load templates deprecated path by @tarunKoyalwar in #3635
- Added warning message for templates loaded by deprecated template path by @tarunKoyalwar in #3635
- Added warning message for templates loaded with deprecated protocol syntax by @tarunKoyalwar in #3635
- Added option to save extractor result to file by @tarunKoyalwar in #3608
- Fixed nil pointer crash in interactsh client by @Mzack9999 in #3590
- Fixed crash with tlsx integration by @ehsandeep in #3620
- Fixed crash with
no-interactsh
option by @ehsandeep in #3621 - Fixed panic while parsing tlsx response by @tarunKoyalwar in #3641
- Fixed issue with params in self-contained template by @tarunKoyalwar in #3608
- Fixed issue with aws signer by @tarunKoyalwar in #3601
- Fixed issue with os permission check by @iamargus95 in #3631
- Fixed issue with no color in windows by @ehsandeep in #3634
- Fixed issue with variables evaluation by @ShubhamRasal in #3599
- Fixed issue to support headless template on OpenBSD by @lu4nx in #3637
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/30
New Contributors
- @MetzinAround made their first contribution in #3579
- @iamargus95 made their first contribution in #3606
- @lu4nx made their first contribution in #3637
Full Changelog: v2.9.2...v2.9.3
v2.9.2
What's Changed
- Added
llm_prompt
as dsl helper by @Mzack9999 in #3480
llm_prompt("what tech this server is using? return idk if you dont know" + header)
- Added azure blob storage support for custom template download by @kchason in #3542
- Added gitlab project support for custom template download by @kchason in #3570
- Added CPE / EPSS Score information to cve-annotation by @sduc in #3486
- Added variable evaluation support in payloads & variables by @ShubhamRasal in #3503
- Added config management + logic refactor by @tarunKoyalwar in #3567
- Added JSONL(ine) Export (#3504) by @kchason in #3505
-je, -json-export string file to export results in JSON format
- Fixed bug in http race condition logic by @ShubhamRasal in #3533
- Fixed s3 argument typos by @kchason in #3536
- Fixed integration test by @tarunKoyalwar in #3506
- Fixed rate limit options not working with query fuzzing by @RamanaReddy0M in #3532
- Fixed panic crash in tlsx by @ehsandeep in #3554
- Fixed panic with proxy input by @tarunKoyalwar in #3526
- Updated
-nc
option by @dogancanbakir in #3539 - Updated
ccache
with generic gcache by @Mzack9999 in #3523 - Updated
-un
option to-up
as a short flag of self-update option by @ehsandeep in #3573
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/29?closed=1
New Contributors
- @sduc made their first contribution in #3486
- @dogancanbakir made their first contribution in #3539
Full Changelog: v2.9.1...v2.9.2
v2.9.1
Breaking Changes:
-json
option to -jsonl
to correctly reflect the output format by @kchason in #3466
-j, -jsonl write output in JSONL(ines) format
requests
=> http
& network
=> tcp
) in templates by @ShubhamRasal in #3425
Templates with the use of
requests
andnetwork
will still work but will be deprecated completely in the future.
What's New
-je, -json-export string file to export results in JSON format
- Added
cpe
andepss-score
support in template classification by @ehsandeep in #3489 - Added
mkdir
support in headless screenshot by @tarunKoyalwar in #3457 - Added support for jira custom fields by @jordanpotti in #3406
- Added AWS catalog for loading templates from bucket by @leoloobeek in #3372
- Fixed a crash in tlsx integration by @ehsandeep in #3490
- Fixed template link references by @mlec1 in #3485
- Fixed an issue with the scanning strategy option by @nHurD in #3464
- Fixed AWS S3 bucket catalog path mismatch by @tarunKoyalwar in #3474
- Moved DSL helper functions to dsl project by @RamanaReddy0M in #3461
Issues closed in this release - https://github.com/projectdiscovery/nuclei/milestone/28?closed=1
New Contributors
- @jordanpotti made their first contribution in #3406
- @nHurD made their first contribution in #3464
- @leoloobeek made their first contribution in #3372
- @mlec1 made their first contribution in #3485
Full Changelog: v2.9.0...v2.9.1
v2.9.0
What's Changed
- Added support for templates in JSON format by @CodFrm in #3333
- Added template sign/verify functionality by @Mzack9999 in #3029
- Added
-track-error
option to add custom errors to max-host-error watch list by @austintraver in #3399 - Added data race panic check in integration_tests by @tarunKoyalwar in #3303
- Added CLI option to override fuzzing template options by @ShubhamRasal in #3355
- Added
ip_formats()
helper function by @xm1k3 in #3286 - Added
resolve()
helper function by @xm1k3 in #3321 - Added
rawstringslice
to make reference url case insensitive by @Bisstocuz in #3346 - Fixed a bug with OR matcher condition with interactsh by @RamanaReddy0M in #3397
- Fixed
set-method
option in headless template by @Mzack9999 in #3373 - Fixed atomic bool check by @Mzack9999 in #3376
- Fixed bug in URL path and adds integration tests by @tarunKoyalwar in #3331
- Fixed crash with interactsh integration by @Mzack9999 in #3312
- Fixed data race when using interactsh_matchers by @tarunKoyalwar in #3432
- Fixed file input in custom vars with
self-contained
http template by @tarunKoyalwar in #3385 - Fixed missing port in matched ssl templates by @tarunKoyalwar in #3380
- Fixed nil pointer reference + use map helper by @Mzack9999 in #3421
- Fixed
parseUrl
test by @ShubhamRasal in #3426 - Fixed typo in
-hc
option by @sullo in #3400
Issues closed in release - https://github.com/projectdiscovery/nuclei/milestone/27
New Contributors
- @noraj made their first contribution in #3162
- @Bisstocuz made their first contribution in #3346
- @CodFrm made their first contribution in #3333
- @austintraver made their first contribution in #3399
- @RamanaReddy0M made their first contribution in #3397
Full Changelog: v2.8.9...v2.9.0