Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated 8x tempalates to user interactsh-url over oast.tld #10099

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Updated 8x tempalates to user interactsh-url over oast.tld #10099

wants to merge 1 commit into from

Conversation

fullstackpotato
Copy link
Contributor

@fullstackpotato fullstackpotato commented Jun 24, 2024
edited
Loading

Updated 8x templates to use {{interactsh-url}} over oast[.]TLD. This change is primarily for users who wish to control where their data is going, e.g. supplying their own interactsh server and expecting their data to go there rather than a hardcoded domain.

Caveat, there will be other templates that I've missed. I did a quick search for anything that has a hardcoded domain and is checking the response for "Interactsh Server".
@GeorginaReeder
Copy link

Great, thanks for your contribution @fullstackpotato !
@DhiyaneshGeek DhiyaneshGeek self-assigned this Jun 27, 2024
@DhiyaneshGeek DhiyaneshGeek added the Status: On Hold Similar to blocked, but is assigned to someone label Jun 27, 2024
@princechaddha
Copy link
Member

Hello @fullstackpotato, thank you so much for updating these template and contributing to this project 🍻

We use {{interactsh-url}} in most templates, except for a few SSRF cases. Simply using {{interactsh-url}} produces a lot of false positive results because some hosts/honeypots simply send a callback to any URL they receive. Hardcoding the domain helps in these cases. However, you are right; some companies may wish to control where their data is going or want to provide their own Interactsh server.

In this case, the team will update the matchers of these templates along with adding {{interactsh-url}}. We will also add a flow loop to ensure the callback is received and that the product is the same as specified in the templates, not from a honeypot.

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again
@princechaddha princechaddha added Status: In Progress This issue is being worked on, and has someone assigned. and removed Status: On Hold Similar to blocked, but is assigned to someone labels Jul 1, 2024
@fullstackpotato
Copy link
Contributor Author

fullstackpotato commented Jul 1, 2024
edited
Loading

Hey thank you for the reply, and appreciate you all looking at this.
Yeah, that's a good point, I did have a think about this before putting the PR in. These templates here are all making a request and displaying the contents of the interactsh server's page to the user, so the risk should be limited in terms of FP's.

There is one more template that I spotted on Friday which is

nuclei-templates/http/cves/2021/CVE-2021-40822.yaml

Line 48 in 0a551a3

form_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password=

@fullstackpotato
Copy link
Contributor Author

Also a QQ off the back of this request, when templates are accepted into the repo do you discourage the use of hardcoded URLs for these types of checks?
Thinking out loud, these domains may get changed or dropped causing false negatives, or a person may want to use their own interactsh server to control where their data is going.
@princechaddha
Copy link
Member

@fullstackpotato We try not to add any hardcoded domains, but in some edge cases when we do, the domains are for our interactsh service only and not for any third-party domains.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: In Progress This issue is being worked on, and has someone assigned.
4 participants
@fullstackpotato @GeorginaReeder @princechaddha @DhiyaneshGeek