search

Security-Tools-Alliance / rengine-ng

reNgine-ng is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface.
GNU General Public License v3.0
19 stars 8 forks source link

bug: Scan not starting when `subdomain is_default` is set to `False` #7

Closed psyray closed 2 months ago

psyray commented 4 months ago

Is there an existing issue for this?

Current Behavior

For an unexplained reason some subdomain does not launch any scan. When you click Initiate scan, task is sent to celery but the following log is present: 

rengine-celery-1       | initiate_subscan                   | WARNING | https://img-dev.xxx.com [200] `0B` `Apache` `159.114883ms`
rengine-celery-1       | remove_duplicate_endpoints         | INFO | Removing duplicate endpoints based on ['content_length', 'page_title']
rengine-celery-1       | run_command                        | INFO | rm /usr/src/scan_results/xxx.com_10/subscans/445/httpx_input.txt
rengine-celery-1       | run_command                        | WARNING | None
rengine-celery-1       | initiate_subscan                   | WARNING | Found subdomain root HTTP URL https://img-dev.xxx.com
rengine-celery-1       | ================================dir_file_fuzz
rengine-celery-1       | dir_file_fuzz                      | WARNING | Task dir_file_fuzz is RUNNING
rengine-celery-1       | dir_file_fuzz                      | WARNING | []
rengine-celery-1       | ================================http_crawl

Important line is this on

rengine-celery-1       | dir_file_fuzz                      | WARNING | []

No URL is present, so scan cannot start.

After further investigation, problem comes from the database. In the endpoint table, there is default endpoints, and for every subdomain without a default entry on base subdomain (https://www.xxx.com) scan will not start.

Here my sub that not scan image

The default entry is set while doing a target scan after that it is never set elsewhere. So if there is a problem while setting this value, subdomains are listed, but you can't launch any scan on it.

Workaround

If True is set to is_default value in the DB scan will work properly So got to /admin and edit the desired value in the endpoint table. Then relaunch the scan

Expected Behavior

Scan should start for a subdomain present in the table

Steps To Reproduce

Random, some domain works, others not. Need investigation

Environment

- reNgine: 2.0.5
- OS: Debian 12
- Python: 2.10
- Docker Engine: x
- Docker Compose: x
- Browser: FF 110

Anything else?

No response