Adding intrusive/non-intrusive nuclei flags

[danfaizer]

Is your feature request related to a problem? Please describe.
In some cases it would be convenient to run only non-intrusive templates (for legal or other reasons).
Some vulnerabilities, exposures or miss-configurations can be detected without being intrusive, but some other implies exploit the issue (create a record in a database, exploit an SSRF in the target by running a call-back, etc.) to ensure that the vulnerability is there which in some cases can be tricky.
Because how fast is growing Nuclei template repository is hard to filter out and select the templates yourself, is not a matter of laziness, is a matter of scale.

Describe the solution you'd like
It would be great if I could run nuclei specifying (with a flag for example, --non-intrusive) to run only non-intrusive checks for a given template category (i.e: CVEs).
At template level a new attribute would be required to indicate a template is non-intrusive and must be explicit.

This is only a suggestion. Feel free to comment if you would like more details or close if you don't see this feature suitable for the product. Thanks a lot for the tool! 🙇

[Ice3man543]

Hey @danfaizer, this sounds like a very good suggestion! One thing I think we should define is what should be considered intrusive and what should not be. Once we have that baseline decided, it should be very easy to add a field and a command-line option for the field.

[julianvilas]

This is an example of (in my opinion) a very intrusive test.

[danfaizer]

Thanks for the quick response and opening the discussion.

That is a good point indeed, having a generic and simple rule to decide if a check if intrusive or not is required to implement the feature successfully.

In my opinion, a simple rule that may work would look something like:

Non-intrusive:

Requests that are not crafted to impersonate someone you are not, modify/create/delete data in the target (except in log files) or perform requests to 3rd parties from the target.

Example of intrusive checks:
This check performs requests from the target to a 3rd party to verify the vulnerability.
This check impersonates someone you are not in the target.
This check create records in target's database.

Example of non-intrusive checks:
This check executes custom code in the target but does not affect the data integrity of the target.
This check executes custom code in the target but does not affect the data integrity of the target.
This navigates in the target drive but does not affect the data integrity.

Of course, in some cases the line is thin and opinions can differ, but can be a starting point.

[ehsandeep]

@danfaizer and others involved in this discussion, with the latest release of nuclei, we added support of exclude-tags/etags flag that can be used to exclude templates, as default we added dos tag in the exclude list, so all the templates with dos tag will be excluded as default, additionally, we are also tagging templates with intrusive tag as you suggested here.

with the introduction of the config file in the latest release, you can simply add these or any tags in the config file that you wish to exclude from all the runs.

[codingo]

I wanted to raise the discussion of having intrusive checks disabled by default, largely based upon projectdiscovery/nuclei-templates@28a85e2

This template (merged and in the latest release) does an insert on a product sessions table, in addition to adding a user of x, with a password of x. Having such options somewhat hidden from the user (as you'd need to review the template to catch it) risks some rather significant consequences for them, but also any target they execute against. Surely there's a better approach to intrusive checks?

[ehsandeep]

@codingo I've created an issue to automate the template tagging process for this specific case - projectdiscovery/nuclei-templates#7515

disabling as default is not a better approach as many cves / exploits fall in this category, producing false negative results and not desirable for all types of users and the project, primarily focusing on finding maximum vulnerabilities on the target system.

Instead, users who wish to disable as default can make use of the nuclei config file to disable these templates forever by adding the below line in $HOME/.config/nuclei/config.yaml

etags: intrusive