functionality for time base attack

[savushkin-yauheni]

Hi team.

Do we have a possibility to check time based attacks ?

e.x. how i can check if request executes more than 30 secs ?

Thanks.

[ehsandeep]

@savushkin-yauheni https://nuclei.projectdiscovery.io/template-examples/http/#time-based-matcher

[savushkin-yauheni]

finally i think that it only works in raw request ?
so can we use {{BaseURL}} in raw request ?

[savushkin-yauheni]

final working template:

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && duration>=30'

[ehsandeep]

@savushkin-yauheni yes, this support works with RAW request only.

[savushkin-yauheni]

@ehsandeep hm. but i tested and it works totally fine =)
am i wrong and tested it in incorrect way ?

id: test

info:
  name: test
  author: savik
  severity: info

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && duration>=30'

[ehsandeep]

No, you are right, I meant to say the support of helper functions is in RAW request only, but this is supported via DSL matcher, so this will work any formatted request.

[dogasantos]

Hey guys, I noticed that this in master now (which is awesome, thanks!).

Can this be used to compare response time between N different requests?
Example:

I send the first request with a condition that should take N (unknown) seconds to be processed
Then I send the second request that should take more (unknown) time to be processed
Lately, I send the third request that should take even longer.

If I have those increasing times, we can consider this as a TRUE vulnerable host.

I have an example of this type of situation with palo alto integer overflow detection method described by Orange Tsai in the following link:

https://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html

I'm trying to create a template for it without crashing the instance, therefore, this time based comparision whould be vital.

Please, let me know your thoughts @ehsandeep

ty

[dogasantos]

testing

  - type: dsl
    dsl:
      - "duration_2>duration_1"
      - "duration_3>duration_2"

[dogasantos]

yep, it works!
ty!

[Marcio861]

Not work for me with raw and {{BaseURL}} and status_code==200 && duration>=3 :

requests:

• method: GET
  path:

  • "{{BaseURL}}"

  payloads:
  payload-sqli-time-based:
  - "1%20AND%20%28SELECT%201525%20FROM%20%28SELECT%28SLEEP%2821%29%29%29LyPy%29"

  fuzzing:

  • part: query
    type: replace
    mode: single
    fuzz:
    • "{{payload-sqli-time-based}}"
      matchers:
  • type: dsl
    dsl:
    • 'duration>=20'

url test: http://testphp.vulnweb.com/listproducts.php?cat=