Query automerge not supported in headless mode

[iambouali]

When scanning the provided URL, it appears that query automerge is not supported in headless mode. This limitation affects the ability to automatically determine whether to append an XSS payload using an ampersand (&) or a question mark (?) when dealing with URLs like https://host.com/test/ and https://host.com/test/?param=1.

Context

Query automerge is a crucial feature that determines the appropriate delimiter to use when appending an XSS payload to URLs. The presence or absence of existing query parameters should influence the choice between & and ? as the delimiter.

Expected Behavior

In headless mode, the scanning process should support query automerge and correctly determine the appropriate delimiter to use based on the presence or absence of existing query parameters.

Steps to Reproduce

• Access the URL: https://xxxxxx.oastify.com/?test=1 in headless mode.

• Observe that query automerge is not supported and the delimiter for appending an XSS payload is not determined correctly.

Template example

id: poc

info:
  name: poc
  author: poc
  severity: medium
  tags: poc

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/?{{aa}}="><pwnd>'
        action: navigate
      - action: waitload

    payloads:
      aa:
        - xss

echo https://example.com/testing?a=b | nuclei -t aa.yaml -headless -p http://127.0.0.1:8080 -v

Results into:

https://example.com/testing?a=b/?xss=%22%3E%3Cpwnd%3E

Expected:

https://example.com/testing?a=b&xss=%22%3E%3Cpwnd%3E

[iambouali]

Hello @ehsandeep - Do you have an ETA for when the fix for this issue will be implemented?

[tarunKoyalwar]

@iambouali , PR for this is raised along with some improvements

[ehsandeep]

@iambouali now fixed with the latest release.

[iambouali]

Yay, awesome news! Good job team, @tarunKoyalwar and @ehsandeep :)