Template condition / logic update to prevent unexpected request

[ehsandeep]

Template IDs or paths

http/credential-stuffing/cloud/github-login-check.yaml
http/credential-stuffing/cloud/postman-login-check.yaml
http/credential-stuffing/cloud/codepen-login-check.yaml
http/credential-stuffing/cloud/atechmedia-codebase-login-check.yaml
http/credential-stuffing/cloud/datadog-login-check.yaml
http/token-spray/api-mailchimp.yaml

Environment

- OS: mac
- Nuclei: latest

Steps To Reproduce

nuclei -t http/credential-stuffing/cloud/github-login-check.yaml -t http/credential-stuffing/cloud/postman-login-check.yaml -t http/credential-stuffing/cloud/codepen-login-check.yaml -t http/credential-stuffing/cloud/atechmedia-codebase-login-check.yaml -t http/credential-stuffing/cloud/datadog-login-check.yaml -t http/token-spray/api-mailchimp.yaml -v -esc

Relevant dumped responses

$ nuclei -t http/credential-stuffing/cloud/github-login-check.yaml -t http/credential-stuffing/cloud/postman-login-check.yaml -t http/credential-stuffing/cloud/codepen-login-check.yaml -t http/credential-stuffing/cloud/atechmedia-codebase-login-check.yaml -t http/credential-stuffing/cloud/datadog-login-check.yaml -t http/token-spray/api-mailchimp.yaml -v -esc

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.6

		projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.3.6 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 6
[INF] Executing 6 signed templates from projectdiscovery/nuclei-templates
[VER] [codepen-login-check] Sent HTTP request to https://codepen.io/login
[WRN] [codepen-login-check] Could not make http request for https://codepen.io/login: unresolved variables found: token,token,username,password
[WRN] [api-mailchimp] Could not make network request for smtp.mandrillapp.com:465: unresolved variables found: base64(hex_decode('00')+'apikey'+hex_decode('00')+token)
[VER] [atechmedia-codebase-login-check] Sent HTTP request to https://identity.atechmedia.com/login
[WRN] [atechmedia-codebase-login-check] Could not make http request for https://identity.atechmedia.com/login: unresolved variables found: url_encode(authenticity_token),username,password
[VER] [datadog-login-check] Sent HTTP request to https://app.datadoghq.com/account/login
[WRN] [datadog-login-check] Could not make http request for https://app.datadoghq.com/account/login: unresolved variables found: username,password
[VER] [postman-login-check] Sent HTTP request to https://identity.getpostman.com/login
[WRN] [postman-login-check] Could not make http request for https://identity.getpostman.com/login: unresolved variables found: csrfToken,username,password
[VER] [github-login-check] Sent HTTP request to https://github.com/login
[WRN] [github-login-check] Could not make http request for https://github.com/login: unresolved variables found: authenticity_token,username,password,timestamp,timestamp_secret
[INF] No results found. Better luck next time!

Anything else?

These templates need to be updated to ensure they don’t create an initial request when the required input (token, username or password) is not provided. This might also require some changes to the nuclei engine to make this possible.

Note: with latest nuclei update, these templates are disabled as default but could still an issue when -enable-self-contained option is used.

Reference - projectdiscovery/nuclei#5800