Comments (3)
liquidsec
commented on June 19, 2024
1
Running without directory_only can be extremely dangerous, depending on what other modules are run with it. If you have something spitting out thousands of individual URLS, you are literally going to run nuclei thousands of times in that mode. You're gonna have a VERY BAD time.
The option is there to change it, because there are definitely times you want to, but the downside is really huge for people who don't know exactly what they are doing - hence the default.
I will probably make a preset geared towards doing this type of nuclei scanning that has plenty of safeguards in place. But as it stands right now, this default is putting in some work preventing absolute chaos.
from bbot.
amiremami
commented on June 19, 2024
Hey, thanks for the explanation. 🙏 So, if I write hostname instead of directory, like this:
bbot -t davidwalsh.name -m httpx nuclei -om asset_inventory --allow-deadly modules.nuclei.templates=/root/.bbot/tools/nuclei-templates/http/miscellaneous/addeventlistener-detect.yaml
Then when BBOT detects this URL: https://www.davidwalsh.name/demo/window-post-message.php , nuclei template works correctly without needing to use modules.nuclei.directory_only=false ?
from bbot.
amiremami
commented on June 19, 2024
Today in my scan, my target was emag.bg but no finding emitted for https://marketplace.emag.bg/infocenter/app/plugins/wpml-multilingual-cms/res/js/cookies/language-cookie.js from nuclei without using modules.nuclei.directory_only=false
from bbot.
Related Issues (20)
- IPv6 regex pattern incorrectly matches non-IPv6 addresses, no testing is being done for IP related regex patterns HOT 5
- pre-commit git hooks described in contribution.md, but no example .pre-commit-config.yaml provided
- Utilise DNS CAA records, extract authorised CAA's as affiliates, extract emails and URL's from any IODEF reporting destinations HOT 3
- Filedownload.handle_event (url_unverified) HOT 1
- Badsecrets taking a long time HOT 3
- Git clone interacting with console HOT 1
- SSLCert: duplicate malformed certificates HOT 1
- Bug in IIS Shortnames HOT 1
- Bug in BadDNS HOT 1
- Stdout dies mid-scan HOT 4
- ASN Error HOT 1
- Ability to set timeout on individual modules
- Option to Raise FILESYSTEM and WEBSCREENSHOTs as Base64 Blobs HOT 4
- Optimize scan status message HOT 1
- Better discovery path tracking for dnsbrute_mutations
- New Module: Apache Tika & `RAW_DATA` events HOT 11
- InternetDB: option to display open ports HOT 2
- WPScan Installation Error HOT 13
- Modile jwt_tool to check for jwts with certain CVE issues? HOT 2
- Enable Cookies By Default
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbot.