Scanning an Internal Site via a Proxy Endpoint using Nuclei

[poc2022]

Hello Nuclei Development Team,

I’m facing a challenge while using Nuclei and would appreciate your guidance on how best to solve it. Here’s the scenario:

I’m attempting to scan Site 2, which is an internal site, but the only way to interact with Site 2 is through Site 1, which acts as a proxy.

To scan Site 2, I must send a POST request to Site 1, where one of the POST parameters contains the URL of Site 2 (with different endpoints to be tested).

Site 1 sends the request to Site 2 and returns the entire response (including headers and body) from Site 2 as part of its own response.

My goal is to have Nuclei run scans on Site 2, but via Site 1, by replacing the endpoint paths in the POST parameter and analyzing the response from Site 1 (which includes Site 2's response).

The problem:

Nuclei normally sends requests directly to the target site and analyzes the responses from that target. In this case, all communication with Site 2 must go through Site 1 (via POST), and I need Nuclei to:

1. Send POST requests to Site 1, with the URL and endpoint for Site 2 passed as a parameter.

2. Automatically append different Nuclei-generated paths to Site 2 in the POST body (not the path of Site 1).

3. Analyze the response of Site 1 for vulnerabilities based on the content returned from Site 2.

Is there a way to configure Nuclei for this kind of indirect scanning where the actual target is Site 2, but the communication must go through Site 1?

Thank you for your help and insights!

[dogancanbakir]

This discussion closed automatically due to inactivity. Feel free to reopen or start new if still relevant.