audit: remove hardcoded researcher OOB callback subdomains#9
Open
serialstream0 wants to merge 10 commits into
Open
audit: remove hardcoded researcher OOB callback subdomains#9serialstream0 wants to merge 10 commits into
serialstream0 wants to merge 10 commits into
Conversation
…to-2000-templates/apachesolrlfissrf.yaml
…to-3000-templates/blind_ssrf.yaml
…archer OOB endpoint (cannot be safely fixed in place)
…esearcher OOB endpoint (cannot be safely fixed in place)
…esearcher OOB endpoint (cannot be safely fixed in place)
…esearcher OOB endpoint (cannot be safely fixed in place)
…esearcher OOB endpoint (cannot be safely fixed in place)
…cher OOB endpoint (cannot be safely fixed in place)
…dpoint (cannot be safely fixed in place)
…ndpoint (cannot be safely fixed in place)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A recent static-analysis audit of the public nuclei-template ecosystem identified templates in this repository that hard-code a third-party out-of-band (OOB) callback subdomain — researcher-controlled
burpcollaborator.net,dnslog.cn, orngrok.ioendpoints — into the exploit payload, rather than using nuclei's{{interactsh-url}}per-scan placeholder.Impact. Every time a user successfully exploits a vulnerable target with one of these templates, the target's outbound DNS/HTTP signal reaches the third party who controls the hard-coded subdomain — silently telling that party which target was scanned and when. It is not a scanner-host compromise, but it is an OPSEC leak that propagates indefinitely with every byte-identical copy.
This PR's changes:
Replace the hard-coded URL with
{{interactsh-url}}(nuclei's per-scan, scanner-local OOB placeholder):1001-to-2000-templates/apachesolrlfissrf.yaml—https://bugbounty.requestcatcher.com/ssrf→https://{{interactsh-url}}2001-to-3000-templates/blind_ssrf.yaml—https://9a7d-183-82-25-4.ngrok.io→https://{{interactsh-url}}Delete templates where in-place fix is not safe (URL embedded in a hex-encoded serialized payload, template's literal purpose is exfiltration, or xray YAML dialect that does not run under nuclei):
12001-to-13000-templates/CVE-2020-13942 2.yaml— xray YAML dialect (not nuclei) — uses {{14001-to-15000-templates/cve-2021-26295-5853.yaml— Same as variant A — hex payload contains the URL14001-to-15000-templates/cve-2021-26295-5854.yaml— Mass-scan variant pointing at the author's local wordlist (/home/mahmoud/Wordlist/AllSubdomains14001-to-15000-templates/cve-2021-26295-5856.yaml— Same as variant A — hex payload contains the URL14001-to-15000-templates/cve-2021-26295-5857.yaml— Same as variant A — hex payload contains the URL24001-to-25000-templates/errors-n-vulns.yaml— xray YAML dialect (not nuclei)29001-to-30000-templates/lfr.yaml— The template's stated purpose is exfiltration ('Local File Read on Nuclei with Exfiltration')36001-to-37000-templates/ssrf.yaml— xray YAML dialect (not nuclei)These templates appear in this repository as byte-identical copies of upstream PoCs not authored here — the same patch is needed in many other community repositories.
A companion issue has been opened with the full file list and audit context.