llazzaro
commented
4 years ago Hi! Thanks for giving details about the problem and possible solutions! We will keep it in mind for the next releases.
Cheers
Closed noraj closed 1 year ago
llazzaro
commented
4 years ago Hi! Thanks for giving details about the problem and possible solutions! We will keep it in mind for the next releases.
Cheers
fedek
commented
1 year ago Hosts are now called Assets and they could be named arbitrarily: FQDN, IP, filename.
This also is related on how different plugins manage the concept of assets, but for the time being assets are an entity that vulnerabilities can be associated.
Thanks for the feedback.
What's the problem this feature will solve?
Right now all targets are thought as an IP address. So I can only add an ipv4 or ipv6. An IP is required, it's mandatory. You can can't register a domain name (very useful for web pentest or bug bounty) or just a name. I can register an IP address and then attach one or several hostname. As someone said this is (farday) thought for internal pentest only. #300
You'll say "use dig or drill to resolve the IP of you're domain and the paste the IP". No! What if the domain targeted as dozens of IP address or is dynamically laod balanced, etc. ?
Why also supporting just arbitrary name and not only technical targets like domain names or IP addresses? Because Faraday can also be used to pentest a mobile app or something that doesn't have an address.
Describe the solution you'd like
Instead of "hosts" introduce a concept of nodes or targets which are virtual objects that can be an URL, an IP, a hostname, a domain name, just a name, etc.
Additional context
Dradis is already doing this, see what your concurrents are doing, you're not alone (https://inventory.rawsec.ml/tools.html#title-tools-collaboration-report).
It seems like an essential feature and should be your priority because in most companies pentest missions are 80% of web so not behind able to set a domain name or an URL is kinda problematic.