Authenticated scan via secret file not working

[Lebotek]

Nuclei version:

v3.2.8

I am trying to do authenticated scanning against the DVWA of OWASP for educational purposes. But i am always getting the following error:
[FTL] Could not fetch dynamic secret: [urlutil:RUNTIME] failed to parse url got empty input

Steps To Reproduce:

1. Add dvwa-secrets.yaml and dvwa-login.yaml
2. Run DVWA in a docker container
3. Execute nuclei -u http://localhost:4280 -secret-file ./dvwa-secrets.yaml

The dvwa-secrets.yaml looks like this:

dynamic:
  - template: /path/to/dvwa-login.yaml
    variables:
      - name: username
        value: admin
      - name: password
        value: password
    type: cookie
    domains:
      - localhost:4280
    cookies:
      - raw: "{{session-cookie}}"

And the dvwa-login.yaml like this:

id: dvwa-login

info:
  name: DVWA Login
  author: lebotek
  severity: info
  description: |
    DVWA Login template for testing.
  tags: dvwa,login

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    extractors:
      - type: regex
        name: token
        part: body
        internal: true
        group: 1
        regex:
          - '<input\stype=.hidden.\sname=.user_token.\svalue=.([[:alnum:]]{32}).\s\/>'
  - raw:
      - |
        POST /login.php HTTP/1.1
        Host: {{Hostname}}


        username={{username}}&password={{password}}&Login=Login&user_token={{token}}
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 302
      - type: word
        part: header
        words:
          - 'index.php'
        condition: and

    extractors:
      - type: regex
        name: session-cookie
        part: header
        internal: true
        regex:
          - 'Set-Cookie.+?\sPHPSESSID=.+?SameSite=Strict'

I am probably just doing something wrong but even if i reduce both .yaml files to a minimum i always get this message either as a error or as a warning with a different followup error message like this:
[WRN] [dvwa-login] Could not execute request for : [urlutil:RUNTIME] failed to parse url got empty input
[FTL] Could not fetch dynamic secret: no extracted values found for dynamic secret

[Lebotek]

Here is a reduced example where i just added a plain get request and a extractor for the cookie

dynamic:
  - template: /path/to/test-login.yaml
    variables:
      - name: username
        value: admin
      - name: password
        value: password
    type: cookie
    domains:
      - localhost:4280
    cookies:
      - raw: "{{cookie}}"

id: test-login

info:
  name: DVWA Login
  author: lebotek
  severity: info
  description: |
    Login template for testing.
  tags: test,login

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    extractors:
      - type: regex
        name: cookie
        part: header
        internal: true
        regex:
          - 'Set-Cookie.+?\sPHPSESSID=.+?;'

I get the following error:
[WRN] [test-login] Could not execute request for : [urlutil:RUNTIME] failed to parse url got empty input
[FTL] Could not fetch dynamic secret: no extracted values found for dynamic secret

[tarunKoyalwar]

@Lebotek , you were almost correct but here are some things you missed in template

dynamic:
  - template: login.yaml
    variables:
      - key: username  # <- its `key` and not `name`
        value: admin
      - key: password  # <- its `key` and not `name`
        value: password
    type: cookie
    domains:
      - localhost:4280
    input: http://localhost:80 # <- specify input where auth templates should be run ( specify here or make template a self-contained one)
    cookies:
      - raw: "{{session-cookie}}"

id: test-login

info:
  name: DVWA Login
  author: lebotek
  severity: info
  description: |
    Login template for testing.
  tags: test,login

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    extractors:
      - type: regex
        name: session-cookie # <- this name should match variable name in secret file (earlier it was cookie and not session-cookie)
        part: header
        internal: true # <- this is optional and not a requirement 
        regex:
          - 'Set-Cookie.+?\sPHPSESSID=.+?;'

nuclei -id tech-detect -sf secrets.yaml -v -ps -u http://localhost:80                                       

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Excluded 115 template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 62
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Pre-fetching secrets from authprovider[s]
[VER] [test-login] Sent HTTP request to http://localhost:80
[VER] [tech-detect] Sent HTTP request to http://localhost:80
[tech-detect:php] [http] [info] http://localhost:80

setup

docker run --rm -it -p 80:80 vulnerables/web-dvwa

looks like we need to improve docs or new blog post with example about ^ (auth)
cc: @GeorginaReeder

[Lebotek]

I got it working now. Thank you very much! :)

[Th3R3p0]

I am having the same issue that Labotek mentioned.

@tarunKoyalwar was does the input parameter do? This is optional right? When you say "specify input where auth templates should be run" does this mean something like the following?

Your domain is something like app.example.com, but you need to authenticate against app.auth0.com so you want to specify the input to app.auth0.com?