Nuclei Removing Hash Symbol (#) When Sending Requests

[UNC1739]

Hi,

I've got a template that looks like the following where it is sending a request to a path with the "#" symbol in the URL path. For this particular template, it is important that this value is passed in the path field to the service. Unfortunately, I can't share the exact template, but the following template replicates the behavior of the template I'm leveraging:

id: example-bug-hash-symbol
info:
  name: An Example Template with Hash Symbol Bug
  author: Adam Crosser
  severity: info

requests:
  - name: example-request
    method: POST
    path:
      - "{{BaseURL}}/vulnerable/endpoint#somevalue"

    matchers:
      - type: status
        status:
          - 200

However, as shown in the image given below you will observe that this value is not passed in the POST request sent by Nuclei when invoked with the -debug flag we can observe the request sent and the response received from the server:

I'm using Nuclei version 2.9.10

➜  ~ nuclei -version
[INF] Nuclei Engine Version: v2.9.10
➜  ~

[tarunKoyalwar]

@RamanaReddy0M it seems like url fragments are getting lost somewhere in the middle

[tarunKoyalwar]

@adamcrosser , after testing and discussion it's not possible to add this behaviour to http protocol as this directly conflicts with how http parsers work but you can still send such requests with newly introduced javascript protocol and their are no any kind of restrictions on it as request is written manually line by line (like burp) . here's example template and run to do that

example template

id: net-https

info:
  name: net-https
  author: pdteam
  severity: info
  description: send and receive https data using net module


javascript:
  - code: |
      let m = require('nuclei/net');
      let name=Host+':'+Port;
      let conn = m.OpenTLS('tcp', name);
      // send http request line by line
      conn.Send('GET / HTTP/1.1\r\n')
      conn.Send('Host:'+name+'\r\n')
      conn.Send('Connection: close\r\n')
      conn.Send('\r\n');
      conn.RecvString(); // get response

    args:
      Host: "{{Host}}"
      Port: "443"

    matchers:
      - type: word
        words:
          - "HTTP/1.1 200 OK"

example run

$ ./nuclei -t a.yaml -v -svd -u scanme.sh

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.1.4-dev

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.1.4-dev (development)
[INF] Current nuclei-templates version: v9.7.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 61
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[DBG] Javascript Protocol request variables: 
	1. DN => scanme
	2. FQDN => scanme.sh
	3. Host => scanme.sh
	4. Hostname => scanme.sh:443
	5. Port => 443
	6. RDN => scanme.sh
	7. SD => 
	8. TLD => sh

[VER] [net-https] Sent Javascript request to scanme.sh:443
[DBG] Javascript Protocol response variables: 
	1. DN => scanme
	2. FQDN => scanme.sh
	3. Host => scanme.sh
	4. Hostname => scanme.sh:443
	5. Port => 443
	6. RDN => scanme.sh
	7. SD => 
	8. TLD => sh
	9. host => scanme.sh:443
	10. interactsh-server => 
	11. matched => scanme.sh:443
	12. request => let m = require('nuclei/n .... String(); // get response
	13. response => HTTP/1.1 200 OK  Date: Th ....   Connection: close    ok
	14. success => true
	15. template-id => net-https
	16. template-info => {net-https pdteam  send a .... nil> {info} map[] <nil> }
	17. template-path => /Users/tarun/Codebase/nuclei/a.yaml
	18. type => javascript

[net-https] [javascript] [info] scanme.sh:443