Template applicability - smarter scans

[gunnsth]

Currently if I do a scan on some IP, there is a ton of templates that are applicable. Example:

[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphiql.php
[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphql
[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphql-console
[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphql-explorer
[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphiql.css
[VER] [graphql-detect] Sent HTTP request to https://10.70.3.185/graphql.php

Obviously I think if the https://10.70.3.185/graphql request failed, then probably some other checks are gonna be inapplicable.
I'm just saying that as an example without knowing anything about graphql-detect.

But it would make sense if there was some "applicability" check, that checks, is graphql there, and then some deeper checks can follow?
For example if we are looking at wordpress plugins, then is wordpress installed on the host (prereq)?
If a port is not open we're not really gonna be trying further requests, like if port 80 is not open, then we shouldn't hammer requests.

For a lot of things it would make sense to first check the index.html and check presence of certain scripts or links... Or look for some "fingerprints".

This being said, I am relatively new to nuclei. But from my perspective, it's really important for scans to be smart. Like if we're checking cars, then we should first check "is it a car?" before we start looking at its brakes etc. It's important to minimize the requests and footprint of the scanner.

[dogancanbakir]

Thanks for initiating the discussion.

Obviously I think if the https://10.70.3.185/graphql request failed, then probably some other checks are gonna be inapplicable.

In fact, there are several paths, each contributed by different people, that can help you discover GraphQL.

In general, nuclei tries to optimize where possible, for example, clustering the templates to reduce requests -you might find this information when running CLI [INF] Templates clustered: 1321 (Reduced 1260 Requests). It's important to remember that the web has a non-deterministic nature. Sometimes, certain endpoints may not be available during initial requests, limiting how smart our approach can be.

Additionally, there's a flag named -automatic-scan, or -as for short, which facilitates automatic scanning with Wappalyzer to identify the technology stack on the target and map them to the relevant tags. Think of this as optimized scanning. Maybe you're looking for this?

Let me know if you have any other questions!