search

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.75k stars 2.52k forks source link

Why Not ? , Make Nuclei Parse Subject Alternatives Names From TLS-Certificates And Send Them As Host Headers Values #1160

Closed 0xAwali closed 3 years ago

0xAwali commented 3 years ago

Let's Assume I'm Trying To Scan https://www.facebook.com So Firstly Nuclei Will Do TLS-Handshake To Transmit Data Into Secure Communication , And Nuclei While Doing TLS-Handshake Its Will Get Server Certificate That Contains Subject Alternative Name e.g. For https://www.facebook.com Will Get

.facebook.com .facebook.net *.fbcdn.net ......

So Why Not , Make Nuclei Parse These SAN And Use It As Host Headers e.g. If My Template 

id: 0x00

info:
  name: Demo
  author: 0xAwali
  severity: info
requests:
  - raw:
    - |
      GET / HTTP/1.1
      Host: {{TLS-SAN}}
      Connection: keep-alive

    matchers:
      - type: word
        words:
          - 'Fingerprint-Here'

So Nuclei Will Send Number Of Requests Based On Number Of The SAN E.g.

 GET / HTTP/1.1
 Host: facebook.com
 Connection: keep-alive

 GET / HTTP/1.1
 Host: facebook.net
 Connection: keep-alive

You Can Add Option To Get Replacement Of Wildcard e.g. TLS-Wildcard

Actually I Faced This Scenario A Lot And Found A Lot Of Hostnames Doesn't Access Directly But If I Add Them As Host Header , I Can Access Them

geeknik commented 3 years ago

That is a great suggestion, however we aren’t sure Nuclei needs this extra layer. For example, using httpx -tls-probe -tls-grab -csp-probe handles this exact scenario before nuclei starts, which means you can pre-process the data however you want. Asking nuclei to handle this step would take control away from you in our opinion.

Our workflow runs something like: subfinder -> dnsx -> naabu-> httpx-> nuclei

In the end, nuclei gets the maximum number of hosts and ports to check. 🤙🏻

0xAwali commented 3 years ago

Yah I Know I Can Use httpx To Get SAN , Wishing One Day This Feature Come With Nuclei

geeknik commented 3 years ago

Sure, not saying it won’t, just offering up an opinion. 🤙🏻

ehsandeep commented 3 years ago

@0xAwali with nuclei we wanted to support features that are user-controlled and customizable, with that said, this will be possible to achieve with nuclei once we complete the work on https://github.com/projectdiscovery/nuclei/pull/1066 and https://github.com/projectdiscovery/nuclei/pull/1047, SSL support let you extract values of your interest and Value sharing between cross template PR let you place those extracted values from SSL template to HTTP template to make HTTP requests :)