search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.25k stars 2.62k forks source link

broken link hikacking #5286

Closed Sabeesh89 closed 1 year ago

Sabeesh89 commented 2 years ago 
id: BrokenLinkHijacking
info:
  name: Broken Link Hijacking Template
  author: sabeesh (Indira)
  severity: low

requests:
    - method: GET
      path:
        - "https://facebook.com/{{Host}}"
        - "https://instagram.com/{{Host}}"
        - "https://twitter.com/{{Host}}"
 matchers:
      - type: regex
        regex:
          - "This Page is not available"
          - "This account doesnt exist"
          - "page doesn't exist"
          - "page may have been removed"
davidfegyver commented 2 years ago

Hey! As far as I know, Facebook and Instagram uses react.js - client side rendering, in this way this template could never trigger.

Second issue is that this would create a lot of noise and false positives, as a broken link hijacking is only a broken link hijacking when the website has a link pointing to the url you can hijack :D This template does not check if the hijackable link is present on the host.

davidfegyver commented 2 years ago

A template for this vulnerability type might also generate high traffic on 3rd party sites, which a hunter might not want :/

Others please share your thoughts, get some pros and contras about such a template :D

akincibor commented 2 years ago

I agree with @davidfegyver

I have my own template but facebook and instagram didn't work since last month, you can't access instagram unauth anymore. For twitter, I'm using their API :

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
      Authorization: Bearer {{REDACTED}}

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "https://api.twitter.com/2/problems/invalid-request"
          - "Could not find user with username:"
        condition: or
      - type: status
        status:
          - 400
akincibor commented 2 years ago

Also rate limit for twitter API is 20/min

princechaddha commented 1 year ago

Hi @Sabeesh89, The response time to this issue was much longer than usual. Thank you for taking the time to create this issue and for contributing to this project 🍻

It seems that the template you shared is invalid. If I understand correctly, you would like to extract social media links from a host and then verify if they are available for hijacking. This can be achieved through the multi-protocol execution feature, which is currently in draft at https://github.com/projectdiscovery/nuclei/pull/3672.

However, since it is not yet fully implemented, I will need to close this issue due to inactivity. Please feel free to create a new issue with more specific details, and we will incorporate this case once we have the necessary support. Thank you again for your understanding and contribution.

abd-4fg commented 9 months ago

I agree with @davidfegyver

I have my own template but facebook and instagram didn't work since last month, you can't access instagram unauth anymore. For twitter, I'm using their API :

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    headers:
      Authorization: Bearer {{REDACTED}}

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "https://api.twitter.com/2/problems/invalid-request"
          - "Could not find user with username:"
        condition: or
      - type: status
        status:
          - 400

Hi , any workaround you know to test long list of facebook and instagram users links ?