Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding SNI override via request annotations #1970

Merged
merged 3 commits into from
May 12, 2022
Merged

Adding SNI override via request annotations #1970

merged 3 commits into from
May 12, 2022

Conversation

Mzack9999
Copy link
Member

@Mzack9999 Mzack9999 commented May 9, 2022
edited by ehsandeep
Loading

Proposed changes

This PR implements SNI override via request annotations. The annotations has a syntax like @tls-sni:value. if value is equal to request.host then the value of the Host header is used as SNI name.

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Correlated PRs

Example

$ cat t.yaml
id: example

info:
  name: example
  author: pdteam
  severity: info

requests:
  - raw:
      # request.host => copy the value of Host header
      # any other value is copied literally
      - |
        @tls-sni:request.host
        GET / HTTP/1.1
        Host: {{interactsh-url}}
        Origin: {{BaseURL}}

    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"
$ echo https://192.168.1.1 | go run . -t t.yaml

Improvements

  • SNI for SSL Templates
  • SNI for Network templates

@Mzack9999 Mzack9999 added Status: In Progress This issue is being worked on, and has someone assigned. Type: Enhancement Most issues will probably ask for additions or changes. labels May 9, 2022
@Mzack9999 Mzack9999 self-assigned this May 9, 2022
@Mzack9999 Mzack9999 linked an issue May 9, 2022 that may be closed by this pull request
TLS SNI overwrite in templates using request annotation #1943
Closed
@Mzack9999 Mzack9999 added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels May 9, 2022
@Mzack9999 Mzack9999 requested a review from Ice3man543 May 9, 2022 18:11
Ice3man543
Ice3man543 reviewed May 10, 2022
View reviewed changes
Copy link
Member

@Ice3man543 Ice3man543 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also intend to support http variables in SNI field @ehsandeep @Mzack9999? As I see in the issue the user also asked for global vars in SNI field which is not supported here.

@Mzack9999
Copy link
Member Author

@Ice3man543 I think it would make things quite complex. The specific case used the exact value of the Host header, which can be done using the particular value request.host, which will pull the value at runtime after the expression evaluation.

@Mzack9999 Mzack9999 added Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. labels May 10, 2022
@0xAwali
Copy link

0xAwali commented May 11, 2022

Hi @Mzack9999 I checked this one but it's not work when using unsafe: true because nuclei will send @tls-sni:request.host in the request otherwise it work correctly so maybe if you add -sni option too , that will solve unsafe: true problem , plus if anyone found target use specific SNI , he will can run nuclei templates e.g.
echo "https://target" | nuclei -sni "specific-SNI" -H "Host: specific-SNI" -t /nuclei-templates

ehsandeep
ehsandeep requested changes May 11, 2022
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ehsandeep ehsandeep added Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels May 11, 2022
@Mzack9999 Mzack9999 added Status: In Progress This issue is being worked on, and has someone assigned. and removed Status: Revision Needed Submitter of PR needs to revise the PR related to the issue. labels May 12, 2022
@Mzack9999 Mzack9999 requested a review from ehsandeep May 12, 2022 09:09
@Mzack9999 Mzack9999 added Status: Review Needed The issue has a PR attached to it which needs to be reviewed and removed Status: In Progress This issue is being worked on, and has someone assigned. labels May 12, 2022
@ehsandeep ehsandeep merged commit 39c7317 into dev May 12, 2022
@ehsandeep ehsandeep deleted the issue-1943-sni-via-request-annotation branch May 12, 2022 11:14
@ehsandeep ehsandeep added Status: Completed Nothing further to be done with this issue. Awaiting to be closed. and removed Status: Review Needed The issue has a PR attached to it which needs to be reviewed labels May 12, 2022
@ehsandeep
Copy link
Member

Hi @Mzack9999 I checked this one but it's not work when using unsafe: true because nuclei will send @tls-sni:request.host in the request otherwise it work correctly so maybe if you add -sni option too , that will solve unsafe: true problem , plus if anyone found target use specific SNI , he will can run nuclei templates e.g. echo "https://target" | nuclei -sni "specific-SNI" -H "Host: specific-SNI" -t /nuclei-templates

Thanks for pointing this out, including unsafe: true there are other protocols that needs to be supported and getting tracked here - #1984

@ehsandeep ehsandeep mentioned this pull request May 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ice3man543 Ice3man543 Ice3man543 left review comments

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

@Mzack9999 Mzack9999

Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed. Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS SNI overwrite in templates using request annotation
4 participants
@Mzack9999 @0xAwali @ehsandeep @Ice3man543