-
Notifications
You must be signed in to change notification settings - Fork 401
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit Nuclei directory_only setting #1361
Comments
Running without directory_only can be extremely dangerous, depending on what other modules are run with it. If you have something spitting out thousands of individual URLS, you are literally going to run nuclei thousands of times in that mode. You're gonna have a VERY BAD time. The option is there to change it, because there are definitely times you want to, but the downside is really huge for people who don't know exactly what they are doing - hence the default. I will probably make a preset geared towards doing this type of nuclei scanning that has plenty of safeguards in place. But as it stands right now, this default is putting in some work preventing absolute chaos. |
Hey, thanks for the explanation. 🙏 So, if I write hostname instead of directory, like this:
Then when BBOT detects this URL: |
Today in my scan, my target was emag.bg but no finding emitted for https://marketplace.emag.bg/infocenter/app/plugins/wpml-multilingual-cms/res/js/cookies/language-cookie.js from nuclei without using |
For anyone running the bbot nuclei module, the silent rejection of some URLs tends to cause confusion:
I'm sure we had a good reason for this setting but to someone used to nuclei, the behavior is unexpected. If we decide to keep it, we need to make sure it's explained well and featured prominently in the documentation.
The text was updated successfully, but these errors were encountered: