Learn about bruteforcing HTTP requests using payloads with Nuclei
{{helper_function(variable)}}
in case mutator functions are needed), and perform batteringram, pitchfork and clusterbomb attacks.
The wordlist for these attacks needs to be defined during the request definition under the payload
field, with a name matching the keyword. Nuclei supports both file-based and in template wordlist support and finally all DSL functionalities are fully available and supported, and can be used to manipulate the final values.
-lfa
(or -allow-local-file-access
) flag. This is necessary to allow access to
local files that are not within the default templates directory.{{ }}
marker.
clusterbomb
or pitchfork
as attack type and defined only one variable in the payload section, template will fail to compile, as clusterbomb
or pitchfork
expect more than one variable to use in the template.
batteringram
as default type which generally used to fuzz single parameter, clusterbomb
and pitchfork
for fuzzing multiple parameters which works same as classical burp intruder.
Type | batteringram | pitchfork | clusterbomb |
---|---|---|---|
Support | β | β | β |
clusterbomb
attack to fuzz.