Is it possible to have redirection with Raw HTTP protocol on nuclei?

[pascal-sun]

Hi 👋

It seems that with Raw HTTP protocol, follow redirection does not work. I don't know if this is normal (due to technical constraints?) or if it's a bug.

For example, I have a web application that redirect to /auth/login when you go to /.

FastAPI demo

Code (main.py)

from fastapi import FastAPI
from fastapi.responses import RedirectResponse

app = FastAPI()


@app.get("/", response_class=RedirectResponse)
async def redirect():
    return "/auth/login"

@app.get("/auth/login")
async def login():
    return "Work!"

Run

pip install "fastapi[standard]"
fastapi dev main.py

Basic HTTP protocol ✅

The following template works perfectly and do follow redirection:

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    redirects: true 

Complete template and result

id: redirect-check

info:
  name: Redirect Check
  author: pascal-sun
  severity: info
  tags: http

requests:
  - method: GET
    path:
      - "{{BaseURL}}/"
    redirects: true 
    matchers:
      - type: status
        status:
          - 200

# nuclei -u http://127.0.0.1:8000/ -templates t.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.5.1 (latest)
[INF] Current nuclei-templates version: v10.3.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [redirect-check] Dumped HTTP request for http://127.0.0.1:8000/

GET / HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/3.6.6
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [redirect-check] Dumped HTTP response http://127.0.0.1:8000/

HTTP/1.1 200 OK
Connection: close
Content-Length: 7
Content-Type: application/json
Date: Thu, 04 Dec 2025 11:26:59 GMT
Server: uvicorn

"Work!"
[redirect-check:status-1] [http] [info] http://127.0.0.1:8000/auth/login
[DBG] [redirect-check] Dumped HTTP response http://127.0.0.1:8000/

HTTP/1.1 307 Temporary Redirect
Connection: close
Date: Thu, 04 Dec 2025 11:26:59 GMT
Location: /auth/login
Server: uvicorn
Content-Length: 0

[INF] Scan completed in 34.983527ms. 1 matches found.

Raw HTTP protocol ❌

But with the following template with the same request, the redirection is not followed (even with -follow-redirects option):

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    redirects: true

Complete template and result

id: redirect-check

info:
  name: Redirect Check
  author: pascal-sun
  severity: info
  tags: http

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    redirects: true
    matchers:
      - type: status
        status:
          - 200

# nuclei -u http://127.0.0.1:8000/ -templates t.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.5.1 (latest)
[INF] Current nuclei-templates version: v10.3.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 0
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [redirect-check] Dumped HTTP request for http://127.0.0.1:8000/

GET / HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip

[DBG] [redirect-check] Dumped HTTP response http://127.0.0.1:8000/

HTTP/1.1 307 Temporary Redirect
Connection: close
Date: Thu, 04 Dec 2025 11:31:24 GMT
Location: /auth/login
Server: uvicorn
Content-Length: 0

[INF] Scan completed in 114.610475ms. No results found.

Is it a normal behavior, do I missed something?

[bad-antics]

This is expected behavior - raw HTTP requests in nuclei do not follow redirects the same way as the basic HTTP protocol. This is by design because raw requests give you precise control over the HTTP interaction.

For raw requests that need redirect following, you have a few options:

1. Use max-redirects with raw (nuclei v3+):

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    max-redirects: 3
    redirects: true

2. Chain multiple raw requests:

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
    extractors:
      - type: regex
        name: redirect_location
        part: header
        regex:
          - "Location: (.*)"
        internal: true

  - raw:
      - |
        GET {{redirect_location}} HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: status
        status:
          - 200

3. Use basic HTTP protocol (which you showed works) if you dont need the raw control.

The raw protocol is primarily for when you need exact control over headers/body and typically for vulnerability testing where redirect behavior needs to be explicit.