Recursion bugs still present in iis_shortnames

[TheTechromancer]

@liquidsec

2024-08-17 03:19:21,034 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:19:21,034 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:19:27,836 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:19:27,837 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:20:00,132 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:20:00,134 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:20:15,578 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:20:15,580 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:10,460 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:10,461 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:20,327 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:20,328 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:40,172 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:40,173 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:52,570 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:21:52,571 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:34,909 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:34,909 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:44,690 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:44,690 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:59,598 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:22:59,598 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:23:09,879 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:23:09,880 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:23:51,172 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:23:51,172 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:02,052 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:02,053 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:24,814 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:24,814 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:36,403 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:24:36,404 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:08,380 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:08,380 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:24,968 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:24,968 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:48,835 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:25:48,836 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:26:03,688 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:26:03,688 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:28:43,964 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:28:43,965 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:29:13,987 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:29:13,988 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:31:09,044 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:34:06,744 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:38:09,200 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:43:09,785 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 03:51:10,619 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated.
2024-08-17 04:00:05,319 [VERBOSE] bbot.modules.iis_shortnames logger.py:132 iis_shortnames: max_node_count (50) exceeded for node: https://www1-cdn.la.dell.com/. Affected branch will be terminated

Full scan log

[liquidsec]

Since I can't reproduce with that domain, I can only assume this was a once in a million fluke.

There's really no way to completely stop this. I have safeguards to limit it once it starts to run away, which I am sure kicked in eventually to stop that.

The options are:

1) Increase the number of confirmations required for an initial detection. 2) Shorten the "safeguard" limit, so that it kicks in sooner.

Drawbacks of # 1:

This adds overhead for ALL detections. Basically the more rare I make it, the most overhead attached to every legitimate detection.

Drawbacks of # 2:

A legitimate true positive with a lot of real shortnames is also affected by this limit. It would start to cut off real results if there was a large amount of them.

I suppose there's option 3, which is make those verbose messages debug. Most of the time if this happens (which again, should be VERY rare at this point), nobody would notice the scan taking a bit longer waiting for the safeguard to kick in.

[TheTechromancer]

Based on my testing I'd say it's around 1 in 1000. Dell.com has 10K subdomains and there's a high chance at least one of them will get stuck.

I'm personally in favor of #2, i.e. a very eager abort, but maybe with a FINDING generated, so we can circle back around and investigate it manually. Maybe the abort threshold can be configurable so for a more targeted scan you can really crank it up.