From 61416bdb58fd4fc077b37ab0c21fb9d5b79ed3e4 Mon Sep 17 00:00:00 2001
From: Max Maass <max.maass@iteratec.com>
Date: Mon, 10 Jan 2022 15:44:39 +0100
Subject: [PATCH] Split Nuclei cascade into two

The nuclei rule had problems because it omitted the protocol and port
information. This commit splits it into two separate rules, one for
http and one for https. This should make it more robust.

Signed-off-by: Max Maass <max.maass@iteratec.com>
---
 .../cascading-rules/subdomain_http.yaml       | 33 +++++++++++++++++++
 .../{subdomain.yaml => subdomain_https.yaml}  | 18 +++++++---
 2 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 scanners/nuclei/cascading-rules/subdomain_http.yaml
 rename scanners/nuclei/cascading-rules/{subdomain.yaml => subdomain_https.yaml} (51%)

diff --git a/scanners/nuclei/cascading-rules/subdomain_http.yaml b/scanners/nuclei/cascading-rules/subdomain_http.yaml
new file mode 100644
index 0000000000..bb8f8d30aa
--- /dev/null
+++ b/scanners/nuclei/cascading-rules/subdomain_http.yaml
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2021 iteratec GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: "cascading.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "nuclei-subdomain-scan-light-http"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: light
+spec:
+  matches:
+    anyOf:
+      - category: "Open Port"
+        attributes:
+          port: 80
+          state: open
+      - category: "Open Port"
+        attributes:
+          service: "http"
+          state: open
+      - category: "Open Port"
+        attributes:
+          service: "http-*"
+          state: open
+      
+  scanSpec:
+    scanType: "nuclei"
+    parameters:
+      # Target domain name of the finding and start a nuclei scan
+      - "-u"
+      - "http://{{$.hostOrIP}}:{{attributes.port}}"
diff --git a/scanners/nuclei/cascading-rules/subdomain.yaml b/scanners/nuclei/cascading-rules/subdomain_https.yaml
similarity index 51%
rename from scanners/nuclei/cascading-rules/subdomain.yaml
rename to scanners/nuclei/cascading-rules/subdomain_https.yaml
index 819c120c3b..fd6135462c 100644
--- a/scanners/nuclei/cascading-rules/subdomain.yaml
+++ b/scanners/nuclei/cascading-rules/subdomain_https.yaml
@@ -5,18 +5,28 @@
 apiVersion: "cascading.securecodebox.io/v1"
 kind: CascadingRule
 metadata:
-  name: "nuclei-subdomain-scan-light"
+  name: "nuclei-subdomain-scan-light-https"
   labels:
     securecodebox.io/invasive: non-invasive
     securecodebox.io/intensive: light
 spec:
   matches:
     anyOf:
-      - category: "Subdomain"
-        osi_layer: "NETWORK"
+      - category: "Open Port"
+        attributes:
+          port: 443
+          state: open
+      - category: "Open Port"
+        attributes:
+          service: "https"
+          state: open
+      - category: "Open Port"
+        attributes:
+          service: "https*"
+          state: open
   scanSpec:
     scanType: "nuclei"
     parameters:
       # Target domain name of the finding and start a nuclei scan
       - "-u"
-      - "{{location}}"
+      - "https://{{$.hostOrIP}}:{{attributes.port}}"