nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

output will be the [ redirected to ] URL and not the host/URL that got scanned which causes the redirection

Open osamahamad opened this issue 2 years ago • 9 comments

Nuclei version:

2.7.5

Current Behavior:

in the latest version of nuclei I observed that when a hit is generated with in a template that follows redirect then the output will be the [ redirected to ] URL and not the host/URL that got scanned which causes the redirection. This was not the case in older nuclei version

Expected Behavior:

I found it so annoying and I wished there is an argument in nuclei to display at least both the subdomain and the redirected domain that is vulnerable or just an argument that display the subdomain only and not the ( redirected to ) as vulnerable similar to the old versions.

Steps To Reproduce:

For example: use the following target bullsheet.me make usual subfinder command and find its subdomain and scan them with nuclei full templates. A lot of results will be similar to image image image image image

See , that the researcher can not actually know which subdomain that results in a redirect to those vulnerable domains for example one of them is buscocampo.com ( I can not know which subdomain of bullsheet.me actually have a redirect to buscocampo.com which is vulnerable to mysql native password info issue )

Anything else:

image

osamahamad avatar Aug 24 '22 10:08 osamahamad

Hey @osamahamad if you could please share a reproducible example (template, cli command and target url) I'd be happy to push a fix for this so it works again as expected.

jimen0 avatar Aug 28 '22 10:08 jimen0

hey, @jimen0 @ehsandeep

  • run subfinder and httpx for this domain subfinder -d bullsheet.me -nC | httpx | tee -a targets.txt

  • run nuclei , default nuclei -l targets -t /all-nuclei-public-templates

Observe the results and tell me if you can understand anything for a huge amount of templates hits. I think that should be prioritized more, there are a lot of hosts on the web that will redirect you to a domain that does not belong to the original domain at all ( 3rd party, promotion ..etc ) and this version will generate hits to the ( redirected to ) domain and display to the user only the last redirection.

This means if a template that follows redirect spots a vuln in x.com and x.com actually redirects to y.com , nuclei will display y.com hit only, researcher will get confused between the results because it is hard to determine in-scope and out-of-scope domains in this way.

osamahamad avatar Sep 05 '22 12:09 osamahamad

Please, share a minimal, reproducible example. I won't be scanning a third party without any authorization in such an aggressive way to debug this. @osamahamad

jimen0 avatar Sep 05 '22 12:09 jimen0

@jimen0 Use any template name which is ( info ) fingerprint templates provided in the example above on the same list. mx-service-detector , ssl-dns-names ..etc , otherwise, I can't help u with anything else.

osamahamad avatar Sep 05 '22 15:09 osamahamad

Quick reproducer:

id: jimeno-test 

info:
  name: Test for nuclei
  author: jimeno
  severity: info

requests:
  - method: GET
    path:
      - "{{BaseURL}}/hello"
    redirects: true
    max-redirects: 10
    matchers:
      - type: word
        words:
          - 'illustrative examples in documents'

Run the following listener:

package main

import (
	"fmt"
	"log"
	"net/http"
	"net/http/httputil"
)

func main() {
	http.HandleFunc("/hello", func(w http.ResponseWriter, r *http.Request) {
		b, _ := httputil.DumpRequest(r, true)
		fmt.Printf("[+] Received request:\n%s\n", b)

		http.Redirect(w, r, "https://example.com/", http.StatusFound)
	})

	if err := http.ListenAndServe("127.0.0.1:3000", nil); err != nil {
		log.Fatalf("failed to listen: %v", err)
	}
}

$ go run ./cmd/nuclei -t /tmp/example.yaml -u http://127.0.0.1:3000/ -silent
[2022-09-06 09:13:19] [jimeno-test] [http] [info] https://example.com/

@osamahamad if I got this correctly your point is that nuclei's output should say http://127.0.0.1:3000/ instead of https://example.com/. Is that right?

jimen0 avatar Sep 06 '22 07:09 jimen0

Hi @jimen0 Exactly, this behavior was updated in 2.7.2 as part of https://github.com/projectdiscovery/nuclei/issues/2008 to display host where you actually get the hit and not the input host. I think a solution for this is either by adding an argument to return back the old behavior or an argument that displays both hosts, the input host, and the redirection host.

osamahamad avatar Sep 07 '22 04:09 osamahamad

hey pd team @Ice3man543 @forgedhallpass what is the intended behavior? Thanks!

jimen0 avatar Sep 08 '22 08:09 jimen0

Based on what we've discussed, probably we'll want to revert certain parts of the previous modifications. We'd want something like:

  1. [ ] TODO 1:
  • if the redirect happens to another domain, show the original domain in the output, to prevent confusion
    • input: example.com, redirect to anotherdomain.com, then show example.com
  • if the redirect is within the same domain, then show the redirected path
    • if input http://example.com, redirect to https://example.com, then show https://example.com
    • if input http://example.com, redirect to http://example.com/login, then show http://example.com/login
  1. [ ] TODO 2:
  • Furthermore we'll want to extend the JSON output to include both the original and redirected locations.
  1. [ ] TODO 3:
  • Test cases to cover the above mentioned scenarios

@ehsandeep will have to confirm the requirements first.

forgedhallpass avatar Sep 10 '22 12:09 forgedhallpass

This issue will be indirectly fixed after implementation of https://github.com/projectdiscovery/nuclei/issues/2612 and updating existing templates, where redirects: true is used with host-redirects: true with some exception where global redirects might be intended.

ehsandeep avatar Sep 17 '22 13:09 ehsandeep