Skip to content

audit: remove hardcoded researcher OOB callback subdomains#1

Open
serialstream0 wants to merge 6 commits into
xinZa1:mainfrom
serialstream0:audit/remove-hardcoded-oob-callbacks
Open

audit: remove hardcoded researcher OOB callback subdomains#1
serialstream0 wants to merge 6 commits into
xinZa1:mainfrom
serialstream0:audit/remove-hardcoded-oob-callbacks

Conversation

@serialstream0

Copy link
Copy Markdown

A recent static-analysis audit of the public nuclei-template ecosystem identified templates in this repository that hard-code a third-party out-of-band (OOB) callback subdomain — researcher-controlled burpcollaborator.net, dnslog.cn, or ngrok.io endpoints — into the exploit payload, rather than using nuclei's {{interactsh-url}} per-scan placeholder.

Impact. Every time a user successfully exploits a vulnerable target with one of these templates, the target's outbound DNS/HTTP signal reaches the third party who controls the hard-coded subdomain — silently telling that party which target was scanned and when. It is not a scanner-host compromise, but it is an OPSEC leak that propagates indefinitely with every byte-identical copy.

This PR's changes:

Replace the hard-coded URL with {{interactsh-url}} (nuclei's per-scan, scanner-local OOB placeholder):

  • apachesolrlfissrf.yamlhttps://bugbounty.requestcatcher.com/ssrfhttps://{{interactsh-url}}
  • blind_ssrf.yamlhttps://9a7d-183-82-25-4.ngrok.iohttps://{{interactsh-url}}

Delete templates where in-place fix is not safe (URL embedded in a hex-encoded serialized payload, template's literal purpose is exfiltration, or xray YAML dialect that does not run under nuclei):

  • CVE-2020-13942.yaml — xray YAML dialect (not nuclei) — uses {{
  • ARPSyndicate/nuclei/cvescan/critical/CVE-2021-26295.yaml — OOB URL is embedded in a hex-encoded Java URLDNS payload inside ; cannot be safely substituted without runtime payload generation
  • ARPSyndicate/jaeles/vulnscan/info/errors-n-vulns.yaml — xray YAML dialect (not nuclei)
  • ssrf.yaml — xray YAML dialect (not nuclei)

These templates appear in this repository as byte-identical copies of upstream PoCs not authored here — the same patch is needed in many other community repositories.

A companion issue has been opened with the full file list and audit context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant