BaseURL is misused in templates as it also contains query parameters of the URL

[kakumanivrn]

Nuclei version:

Current Version: 2.6.5

Current Behavior:

In nuclei template {{BaseURL}} is taken as full URL along with query parameters. It works in the case only when the input provided is just a root URL without any file extensions or query parameters.

For example when the input is: http://google.com/v2/pages?page=1&page-size=354

For a specific template, the request was made like this:

[VER] [github-workflows-disclosure] Sent HTTP request to http://google.com/v2/pages?page=1&page-size=354/.github/workflows/snyk.yml

The request doesn't make and it cannot find the vulnerability like this. All most all of the templates are using BaseURL rather than RootURL.

Expected Behavior:

BaseURL should consider only the URI path and not the query parameters and also not the filename with extension. For a full URL I would suggest another variable name.

Steps To Reproduce:

Provide input of a URL with query parameters and run templates with {{BaseURL}}

Anything else:

I am not sure if this is intended behaviour. The only case where this is intended behaviour is that Nuclei is designed for web app root level scanning only. If that's the case how can I solve my problem?

[ehsandeep]

@kakumanivrn

The only case where this is intended behaviour is that Nuclei is designed for web app root level scanning only.

right, this is the intended behavior for the public templates as vulnerable paths and other information is defined in the templates based on specific vulnerabilities, and Root URLs are the expected input to run nuclei as detailed here.

For custom templates, you can use any other global variables as per need https://nuclei.projectdiscovery.io/templating-guide/protocols/http/