projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.

Home Page:https://github.com/projectdiscovery/nuclei

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

nginx-version.yaml template producing false-positive results

hczdmr opened this issue · comments

Nuclei Version:

latest

Template file:

/technologies/nginx/nginx-version.yaml

Command to reproduce:

nuclei -u httpx://hangikur.com -t /opt/nuclei-templates/technologies/nginx/nginx-version.yaml

Anything else:

This template producing false positive result for not have a version number in HTTP response header.

that's not a false positive. if you check the response header of the website, there is no nginx version in the header

C:\Users\user>curl -I "https://hangikur.com"
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2022 00:11:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 11080
Connection: keep-alive
Vary: Accept-Encoding
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=Edge

I know there is no nginx version in the response header but template name is "nginx version detect". If there is a version info in the header, I assume the template to work correctly. Isn't it?

Hello @hczdmr, thank you so much for creating this issue and contributing to this project 🚀