Closed rotemreiss closed 2 years ago
ehsandeep
commented
2 years ago @rotemreiss as we have limited templates for DNS/Network/File module, we kept them in a specific directory (not necessarily needed in all cases), later with the introduction of tags, it allows to use of templates in a more flexible way, for example nuclei -tags takeover will run all the takeover templates having takeover tags in it, so we more focus on tags instead of the template directory.
rotemreiss
commented
2 years ago @ehsandeep that makes sense, but note that we currently don't have a clear separation with tags between certain subdomain-takeovers and some basic fingerprinting. We have the severities, although that's not enough IMO. See for example - https://github.com/projectdiscovery/nuclei-templates/blob/master/dns/can-i-take-over-dns.yaml which will provide a lot of false positives if used for scanning for STO.
Anyway, I've created a PR to add the relevant tag to the servfail template which indicates a possible subdomain takeover (e.g. dangling AWS NS record).
ehsandeep
commented
2 years ago thank you @rotemreiss
See for example - https://github.com/projectdiscovery/nuclei-templates/blob/master/dns/can-i-take-over-dns.yaml which will provide a lot of false positives if used for scanning for STO.
Thanks for pointing this out, we can remove the takeover tag from this template as it is only used for fingerprinting NS records.
rotemreiss
commented
2 years ago @ehsandeep I created two PRs to fix both tagging issues, please review and merge. :)
Nuclei version
Describe the bug The template azure-takeover-detection.yaml is located under the DNS directory, but IMO it should be located under the takeovers directory. Is that on purpose? If not, I will create a PR to move it to the takeovers directory.
Full path to the current template - https://github.com/projectdiscovery/nuclei-templates/blob/master/dns/azure-takeover-detection.yaml .