feat: added tracking for status code, waf-detection & grouped errors

[Ice3man543]

Proposed changes

• Added http-stats flag allowing exporting grouped per-request Status Codes, Errors & WAF Detections (if any detected in the response)

Closes #6045

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Introduced an experimental HTTP statistics tracking option via a new command-line flag. Users can now capture HTTP response codes and error details during operations, with summary reports presented at the end.
  • Added a WAF (Web Application Firewall) detection system that identifies various WAFs based on predefined patterns.

• Tests

  • Added tests to validate the accuracy of HTTP status tracking and Web Application Firewall detection, ensuring reliable performance of the new analytics feature.

[coderabbitai]

Walkthrough

This change adds an experimental HTTP status tracking feature. A new boolean flag (HTTPStats) is introduced to enable status capturing via the command-line and options configuration. The tracker is integrated into the runner, and additional writer methods have been implemented to log HTTP status codes and response details. A new stats package provides a Tracker for counting status codes, error kinds, and WAF detections while tests ensure proper functionality. Minor modifications were made in the HTTP request module to log stats during execution.

Changes

File(s)	Change Summary
cmd/nuclei/main.go, pkg/types/types.go	Added new HTTPStats flag in CLI options and options struct for enabling HTTP status capturing.
internal/runner/runner.go	Integrated outputstats.Tracker into the Runner struct; initializes tracker when HTTPStats is enabled and displays stats on close.
pkg/output/multi_writer.go, pkg/output/output.go, pkg/testutils/testutils.go	Added RequestStatsLog method to Writer implementations to log HTTP response status and details.
pkg/output/output_stats.go	Introduced StatsOutputWriter type implementing the Writer interface for handling and reporting HTTP statistics.
pkg/output/stats/stats.go, pkg/output/stats/stats_test.go	Added a new stats package with a Tracker for capturing status codes, error kinds, and WAF detections, including associated tests.
pkg/protocols/http/request.go	Added a call to log HTTP status and full response content using RequestStatsLog within the request execution flow.
pkg/output/stats/waf/waf.go, pkg/output/stats/waf/waf_test.go	Introduced WAF detection functionality with a new WafDetector struct and corresponding tests for detection accuracy.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI
    participant Runner
    participant Tracker
    participant Writer

    User->>CLI: Execute with HTTPStats flag enabled
    CLI->>Runner: Initialize Runner with HTTPStats option
    Runner->>Tracker: Create new Tracker instance
    Runner->>Writer: Configure multi-writer with TrackerWriter
    Runner->>HTTP Request: Process requests
    HTTP Request->>Writer: Log status via RequestStatsLog
    Writer->>Tracker: Update stats counters
    Runner->>User: On close, display tracked HTTP stats

Loading

sequenceDiagram
    participant RequestModule as "HTTP Request"
    participant Writer
    participant Tracker

    RequestModule->>Writer: Call RequestStatsLog(statusCode, response)
    Writer->>Tracker: Forward and update statistics

Loading

Suggested reviewers

• dogancanbakir
• Mzack9999

Poem

I’m a rabbit hopping in a field of code so neat,
With HTTP stats that dance to every beat.
New flags and trackers now join the play,
Logging each response along the way.
In lines of tests and mermaid dreams we sing,
Celebrating change with a joyful spring!

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (4)

pkg/output/stats/stats_test.go (2)

7-27: Add edge cases to error tracking tests.

The test covers basic increment scenarios but would benefit from additional edge cases:

• Concurrent access to error counters
• Error kinds with special characters
• Very long error kind strings

---

29-84: Enhance WAF detection test coverage.

While the test covers major WAF providers, consider adding:

• Partial WAF signature matches
• Case sensitivity tests
• Multi-line WAF signatures
• WAF signatures with special characters

pkg/output/output.go (1)

564-564: Add TODO comment for empty implementation.

The empty implementation suggests future work. Add a TODO comment to track this.

-func (w *StandardWriter) RequestStatsLog(statusCode, response string) {}
+// TODO: Implement HTTP stats logging
+func (w *StandardWriter) RequestStatsLog(statusCode, response string) {}

cmd/nuclei/main.go (1)

449-449: Enhance the flag description.

While the flag is correctly added, consider providing a more detailed description that explains:

• What kind of HTTP stats are captured (status codes, WAF detections, errors)
• Where and how the stats are displayed
• The experimental nature of the feature and any limitations

Apply this diff to improve the description:

-		flagSet.BoolVarP(&options.HTTPStats, "http-stats", "hps", false, "enable http status capturing (experimental)"),
+		flagSet.BoolVarP(&options.HTTPStats, "http-stats", "hps", false, "enable http stats capturing including status codes, WAF detections & grouped errors (displayed at the end of scan) (experimental)"),

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82a5d35 and 0f524f7.

⛔ Files ignored due to path filters (1)

• pkg/output/stats/regexes.json is excluded by !**/*.json

📒 Files selected for processing (10)

• cmd/nuclei/main.go (1 hunks)
• internal/runner/runner.go (4 hunks)
• pkg/output/multi_writer.go (2 hunks)
• pkg/output/output.go (5 hunks)
• pkg/output/output_stats.go (1 hunks)
• pkg/output/stats/stats.go (1 hunks)
• pkg/output/stats/stats_test.go (1 hunks)
• pkg/protocols/http/request.go (1 hunks)
• pkg/testutils/testutils.go (2 hunks)
• pkg/types/types.go (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• pkg/protocols/http/request.go

🧰 Additional context used

🪛 GitHub Check: Lint

pkg/output/stats/stats.go

[failure] 70-70:
Error return value of m.Set is not checked (errcheck)

---

[failure] 86-86:
Error return value of t.errorCodes.Iterate is not checked (errcheck)

---

[failure] 90-90:
Error return value of t.statusCodes.Iterate is not checked (errcheck)

---

[failure] 94-94:
Error return value of t.wafDetected.Iterate is not checked (errcheck)

🪛 GitHub Actions: 🔨 Tests

pkg/output/stats/stats.go

[error] 70-70: Error return value of m.Set is not checked (errcheck)

🔇 Additional comments (10)

pkg/output/output_stats.go (1)

8-51: Implementation of StatsOutputWriter and integration with Tracker

The StatsOutputWriter struct and its methods are correctly implemented, effectively integrating with the Tracker for statistics observation. The methods fulfill the Writer interface requirements and appropriately delegate tracking responsibilities.

pkg/output/multi_writer.go (2)

11-12: Assert MultiWriter implements the Writer interface

The declaration var _ Writer = &MultiWriter{} ensures at compile time that MultiWriter satisfies the Writer interface. This is a good practice to catch implementation errors early.

---

63-67: Add RequestStatsLog method to MultiWriter

The RequestStatsLog method is properly added to MultiWriter, forwarding the call to all underlying writers. This ensures that all writers receive and handle the stats logging consistently.

pkg/testutils/testutils.go (1)

206-206: LGTM!

The empty implementation is appropriate for a mock object, allowing tests to override the behavior when needed.

pkg/output/output.go (1)

53-54: LGTM!

Clean addition of the new method to the interface with clear documentation.

pkg/types/types.go (1)

226-227: LGTM!

Clean addition of the HTTPStats field with clear documentation. The field's purpose aligns well with the PR objectives.

internal/runner/runner.go (4)

22-22: LGTM!

The import statement is correctly aliased and properly specified.

---

96-97: LGTM!

The httpStats field is correctly added to the Runner struct with proper type.

---

262-265: LGTM!

The HTTP stats tracking initialization is properly implemented:

1. Correctly guarded by the HTTPStats flag
2. Properly initializes the tracker
3. Correctly wraps the output writer

---

372-374: LGTM!

The HTTP stats display is properly implemented with appropriate nil check and respects the color settings.

[coderabbitai]

⚠️ Potential issue

Check the error return value of t.statusCodes.Iterate

Similar to the previous comment, the error return value of t.statusCodes.Iterate is not being checked. This could result in missing errors during the iteration over status codes.

Apply this diff to handle the error:

-    t.statusCodes.Iterate(func(k string, v *atomic.Int32) error {
+    if err := t.statusCodes.Iterate(func(k string, v *atomic.Int32) error {
         stats.StatusCodeStats[k] = int(v.Load())
         return nil
-    })
+    }); err != nil {
+        // Handle the error appropriately, e.g., log the error
+    }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	t.statusCodes.Iterate(func(k string, v *atomic.Int32) error {
	stats.StatusCodeStats[k] = int(v.Load())
	return nil
	})
	if err := t.statusCodes.Iterate(func(k string, v *atomic.Int32) error {
	stats.StatusCodeStats[k] = int(v.Load())
	return nil
	}); err != nil {
	// Handle the error appropriately, e.g., log the error
	}

🧰 Tools

🪛 GitHub Check: Lint

[failure] 90-90:
Error return value of t.statusCodes.Iterate is not checked (errcheck)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

pkg/output/stats/waf/waf.go (4)

6-6: Consider using a more flexible logging approach.

Instead of using the standard log package, consider using an interface-based logging approach that allows consumers to provide their own logger implementation. This would make the package more flexible and testable.

-	"log"
+	"io"

Then update the NewWafDetector function to accept a logger:

-func NewWafDetector() *WafDetector {
+func NewWafDetector(logger io.Writer) *WafDetector {
 	var data wafData
 	if err := json.Unmarshal([]byte(wafContentRegexes), &data); err != nil {
-		log.Printf("could not unmarshal waf content regexes: %s", err)
+		fmt.Fprintf(logger, "could not unmarshal waf content regexes: %s\n", err)
 	}

---

10-13: Add documentation for exported struct and fields.

Since WafDetector is exported, it should have proper documentation explaining its purpose and fields.

+// WafDetector provides functionality to detect and identify Web Application Firewalls (WAFs)
+// based on response content patterns.
 type WafDetector struct {
+	// wafs contains a mapping of WAF IDs to their definitions
 	wafs       map[string]waf
+	// regexCache contains pre-compiled regular expressions for WAF detection
 	regexCache map[string]*regexp.Regexp
 }

---

50-57: Add context and input validation.

Consider these improvements:

1. Add context for timeout control.
2. Validate input content.
3. Consider case-insensitive matching option.

-func (d *WafDetector) DetectWAF(content string) (string, bool) {
+func (d *WafDetector) DetectWAF(ctx context.Context, content string) (string, bool) {
+	if content == "" {
+		return "", false
+	}
+
 	for id, regex := range d.regexCache {
+		select {
+		case <-ctx.Done():
+			return "", false
+		default:
+		}
 		if regex.MatchString(content) {
 			return id, true
 		}
 	}
 	return "", false
 }

---

59-62: Add input validation.

Add validation for the WAF ID parameter.

 func (d *WafDetector) GetWAF(id string) (waf, bool) {
+	if id == "" {
+		return waf{}, false
+	}
 	waf, ok := d.wafs[id]
 	return waf, ok
 }

pkg/output/stats/waf/waf_test.go (1)

5-60: Enhance test coverage and performance.

Consider these improvements:

1. Add edge cases (empty content, very long content, special characters).
2. Enable parallel test execution.
3. Add benchmarks for performance testing.
4. Test error cases from NewWafDetector.

 func TestWAFDetection(t *testing.T) {
-	detector := NewWafDetector()
+	detector, err := NewWafDetector()
+	if err != nil {
+		t.Fatalf("failed to create detector: %v", err)
+	}
 	if detector == nil {
 		t.Fatal("expected non-nil wafDetector")
 	}

 	tests := []struct {
 		name        string
 		content     string
 		expectedWAF string
 		shouldMatch bool
 	}{
+		{
+			name:        "Empty content",
+			content:     "",
+			expectedWAF: "",
+			shouldMatch: false,
+		},
+		{
+			name:        "Very long content",
+			content:     strings.Repeat("a", 1000000),
+			expectedWAF: "",
+			shouldMatch: false,
+		},
+		{
+			name:        "Content with special characters",
+			content:     "Response with special chars: !@#$%^&*()",
+			expectedWAF: "",
+			shouldMatch: false,
+		},
 		// existing test cases...
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			waf, matched := detector.DetectWAF(tt.content)
 			if matched != tt.shouldMatch {
 				t.Errorf("expected match=%v, got match=%v", tt.shouldMatch, matched)
 			}
 			if matched && waf != tt.expectedWAF {
 				t.Errorf("expected WAF=%s, got WAF=%s", tt.expectedWAF, waf)
 			}
 		})
 	}
 }

+func BenchmarkWAFDetection(b *testing.B) {
+	detector, err := NewWafDetector()
+	if err != nil {
+		b.Fatalf("failed to create detector: %v", err)
+	}
+
+	content := "Attention Required! | Cloudflare"
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		detector.DetectWAF(content)
+	}
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3bfe682 and 2c001a6.

⛔ Files ignored due to path filters (1)

• pkg/output/stats/waf/regexes.json is excluded by !**/*.json

📒 Files selected for processing (4)

• pkg/output/stats/stats.go (1 hunks)
• pkg/output/stats/stats_test.go (1 hunks)
• pkg/output/stats/waf/waf.go (1 hunks)
• pkg/output/stats/waf/waf_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/output/stats/stats_test.go
• pkg/output/stats/stats.go

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Tests (macOS-latest)
• GitHub Check: Tests (windows-latest)
• GitHub Check: Tests (ubuntu-latest)

🔇 Additional comments (1)

pkg/output/stats/waf/waf.go (1)

27-28: Verify regexes.json file.

Please ensure that:

1. The regexes.json file exists in the same directory.
2. The regex patterns are well-tested and optimized.
3. The file is properly formatted and validated.

✅ Verification successful

🏁 Script executed:

#!/bin/bash
# Description: Verify regexes.json file exists and is valid JSON

# Test: Check if file exists and is valid JSON
if [ -f "pkg/output/stats/waf/regexes.json" ]; then
    jq . pkg/output/stats/waf/regexes.json >/dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "regexes.json exists and is valid JSON"
        # Show file contents for review
        cat pkg/output/stats/waf/regexes.json
    else
        echo "regexes.json exists but is not valid JSON"
    fi
else
    echo "regexes.json does not exist"
fi

Length of output: 60059

---

Regexes File Verification Complete

The regexes.json file located in pkg/output/stats/waf/regexes.json exists, is well-formatted, and successfully validates as JSON. The file contains a comprehensive set of regex definitions along with their corresponding metadata and signatures.

• The file is present in the expected directory.
• It passes JSON validation (using jq).
• The regex patterns and associated data are clearly structured for further reviews and testing.

[dogancanbakir]

Ignore test fails; fixed in ai-flag branch.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/nuclei/main.go (1)

450-450: LGTM! The flag is well-integrated and properly documented.

The new http-stats flag follows the established patterns:

• Uses consistent naming with other flags
• Includes experimental status in description
• Properly integrated into the stats group

However, since this is an experimental feature, consider adding a warning message when the flag is enabled.

Add a warning message in the readConfig function when the flag is enabled:

 if options.HTTPStats {
+    gologger.Warning().Msgf("The http-stats flag is experimental and its behavior may change in the future")
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c001a6 and 14fd8c8.

📒 Files selected for processing (3)

• cmd/nuclei/main.go (1 hunks)
• internal/runner/runner.go (4 hunks)
• pkg/types/types.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/types/types.go
• internal/runner/runner.go

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Tests (macOS-latest)
• GitHub Check: Tests (windows-latest)
• GitHub Check: Tests (ubuntu-latest)