Revisit Nuclei directory_only setting

[TheTechromancer]

trafficstars

For anyone running the bbot nuclei module, the silent rejection of some URLs tends to cause confusion:

I'm sure we had a good reason for this setting but to someone used to nuclei, the behavior is unexpected. If we decide to keep it, we need to make sure it's explained well and featured prominently in the documentation.

[liquidsec]

Running without directory_only can be extremely dangerous, depending on what other modules are run with it. If you have something spitting out thousands of individual URLS, you are literally going to run nuclei thousands of times in that mode. You're gonna have a VERY BAD time.

The option is there to change it, because there are definitely times you want to, but the downside is really huge for people who don't know exactly what they are doing - hence the default.

I will probably make a preset geared towards doing this type of nuclei scanning that has plenty of safeguards in place. But as it stands right now, this default is putting in some work preventing absolute chaos.

[Sh4d0wHunt3rX]

Hey, thanks for the explanation. 🙏 So, if I write hostname instead of directory, like this:

bbot -t davidwalsh.name -m httpx nuclei -om asset_inventory --allow-deadly modules.nuclei.templates=/root/.bbot/tools/nuclei-templates/http/miscellaneous/addeventlistener-detect.yaml

Then when BBOT detects this URL: https://www.davidwalsh.name/demo/window-post-message.php , nuclei template works correctly without needing to use modules.nuclei.directory_only=false ?

[Sh4d0wHunt3rX]

Today in my scan, my target was emag.bg but no finding emitted for https://marketplace.emag.bg/infocenter/app/plugins/wpml-multilingual-cms/res/js/cookies/language-cookie.js from nuclei without using modules.nuclei.directory_only=false