reNgine-ng is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface.
GNU General Public License v3.0
12
stars
6
forks
source link
bug(scan): unwanted subdomains during fetch_url task on a given subdomain #99
While scanning a target, I've seen that:
Under certain circumstance, the fetch_url task creates and scan subdomains that are not part of the subdomain requested.
Current workflow:
Launch a fetch_url task on subdomain.example.com
Waybackurls find a subdomain called other-subdomain.example.com
Subdomain is added to the txt file with the urls gathered from the different tools - here waybackurls
An httpx is launched with the txt file as source and subdomain is added to the db
Does this workflow seems correct to you ?
@AnonymousWP @Talanor
My opinion is that, if we launch a scan on a given subdomain, there's no reason that an other subdomain been saved to the db.
So we need to restrict the fetch_url task to the current subdomain.
If it's ok for you I will work on it
Expected Behavior
If we launch a scan on a given subdomain, there's no reason that an other subdomain been saved to the db.
fetch_url task need to be restricted to the current tested subdomain.
Current Behavior
While scanning a target, I've seen that: Under certain circumstance, the fetch_url task creates and scan subdomains that are not part of the subdomain requested.
Current workflow:
This works like this because the fetch_url is not restricted to the subdomain, but the domain https://github.com/Security-Tools-Alliance/rengine-ng/blob/bf61bed99184edd24e565f79d9731651ae6bd380/web/reNgine/tasks.py#L1778-L1779
Does this workflow seems correct to you ? @AnonymousWP @Talanor
My opinion is that, if we launch a scan on a given subdomain, there's no reason that an other subdomain been saved to the db. So we need to restrict the fetch_url task to the current subdomain.
If it's ok for you I will work on it
Expected Behavior
If we launch a scan on a given subdomain, there's no reason that an other subdomain been saved to the db. fetch_url task need to be restricted to the current tested subdomain.
Steps To Reproduce
See above
Environment
Anything else?
No response
Acknowledgements