From 64ef60eb0aaf5535840285731640841f7f44f810 Mon Sep 17 00:00:00 2001 From: Ice3man Date: Wed, 30 Oct 2024 15:48:24 +0530 Subject: [PATCH] feat: more logging + misc additions --- internal/server/exec.go | 31 +++++++++++++++++++++++++----- internal/server/requests_worker.go | 2 +- internal/server/server.go | 11 +++++++++++ 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/internal/server/exec.go b/internal/server/exec.go index 7ee72b1071..cc53992d7e 100644 --- a/internal/server/exec.go +++ b/internal/server/exec.go @@ -22,7 +22,7 @@ type proxifyRequest struct { } `json:"request"` } -func runNucleiWithFuzzingInput(target PostReuestsHandlerRequest, templates []string) ([]output.ResultEvent, error) { +func (s *DASTServer) runNucleiWithFuzzingInput(target PostReuestsHandlerRequest, templates []string) ([]output.ResultEvent, error) { cmd := exec.Command("nuclei") tempFile, err := os.CreateTemp("", "nuclei-fuzz-*.yaml") @@ -54,7 +54,6 @@ func runNucleiWithFuzzingInput(target PostReuestsHandlerRequest, templates []str argsArray := []string{ "-duc", "-dast", - "-silent", "-no-color", "-jsonl", } @@ -63,15 +62,34 @@ func runNucleiWithFuzzingInput(target PostReuestsHandlerRequest, templates []str } argsArray = append(argsArray, "-l", tempFile.Name()) argsArray = append(argsArray, "-im=yaml") + + var stderrBuf bytes.Buffer + if s.options.Verbose { + cmd.Stderr = &stderrBuf + argsArray = append(argsArray, "-v") + } else { + argsArray = append(argsArray, "-silent") + } cmd.Args = append(cmd.Args, argsArray...) - data, err := cmd.Output() + stdoutPipe, err := cmd.StdoutPipe() if err != nil { - return nil, fmt.Errorf("error running nuclei: %w", err) + return nil, fmt.Errorf("error creating stdout pipe: %s", err) + } + + errWithStderr := func(err error) error { + if s.options.Verbose { + return fmt.Errorf("error running nuclei: %s\n%s", err, stderrBuf.String()) + } + return fmt.Errorf("error starting nuclei: %s", err) + } + + if err := cmd.Start(); err != nil { + return nil, errWithStderr(err) } var nucleiResult []output.ResultEvent - decoder := json.NewDecoder(bytes.NewReader(data)) + decoder := json.NewDecoder(stdoutPipe) for { var result output.ResultEvent if err := decoder.Decode(&result); err != nil { @@ -86,5 +104,8 @@ func runNucleiWithFuzzingInput(target PostReuestsHandlerRequest, templates []str } } + if err := cmd.Wait(); err != nil { + return nil, errWithStderr(err) + } return nucleiResult, nil } diff --git a/internal/server/requests_worker.go b/internal/server/requests_worker.go index 8616578fe7..3f254576b5 100644 --- a/internal/server/requests_worker.go +++ b/internal/server/requests_worker.go @@ -41,7 +41,7 @@ func (s *DASTServer) tasksConsumer() { } func (s *DASTServer) fuzzRequest(req PostReuestsHandlerRequest) { - results, err := runNucleiWithFuzzingInput(req, s.options.Templates) + results, err := s.runNucleiWithFuzzingInput(req, s.options.Templates) if err != nil { gologger.Warning().Msgf("Could not run nuclei: %s\n", err) return diff --git a/internal/server/server.go b/internal/server/server.go index c13d7c7ce7..d3ab8e50cb 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -1,6 +1,7 @@ package server import ( + "encoding/json" "fmt" "strings" "time" @@ -48,6 +49,11 @@ type Options struct { func New(options *Options) (*DASTServer, error) { bufferSize := options.Concurrency * 100 + // If the user has specified no templates, use the default ones + // for DAST only. + if len(options.Templates) == 0 { + options.Templates = []string{"dast/"} + } server := &DASTServer{ options: options, tasksPool: pool.New().WithMaxGoroutines(options.Concurrency), @@ -129,6 +135,11 @@ func (s *DASTServer) handleRequest(c echo.Context) error { return c.JSON(400, map[string]string{"error": "missing required fields"}) } + if s.options.Verbose { + marshalIndented, _ := json.MarshalIndent(req, "", " ") + gologger.Verbose().Msgf("Received request: %s", marshalIndented) + } + select { case s.fuzzRequests <- req: return c.NoContent(200)