Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(ui): Subdomain import could fail if suffix more than 4 chars #9

Closed
1 task done
psyray opened this issue Apr 21, 2024 · 1 comment · Fixed by #147
Closed
1 task done

bug(ui): Subdomain import could fail if suffix more than 4 chars #9

psyray opened this issue Apr 21, 2024 · 1 comment · Fixed by #147
Assignees
@psyray
Labels
bug Something isn't working
Milestone
v2.1.0 release

Comments

@psyray
Copy link
Contributor

psyray commented Apr 21, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

During a pentest, I have a vpn connection to internal network, and AD domain name was like mynetwork.testo.

I have retrieved some hostnames from the domain : servers, workstations ... ~ 100 assets

After configuring DNS resolving to query internal DC (in /etc/resolv.conf), and adding the domain name above as a target,

I initiate a scan and supply hostnames in the textarea field.
image

I've launched the scan but subdomains was not imported.

After investigation it comes from the get_domain_from_subdomain, more precisely from tldextract function.

rengine-ng/web/reNgine/common_func.py

Lines 427 to 437 in 55c9179

def get_domain_from_subdomain(subdomain):
"""Get domain from subdomain.
Args:
subdomain (str): Subdomain name.
Returns:
str: Domain name.
"""
ext = tldextract.extract(subdomain)
return '.'.join(ext[1:3])

Here are the test sample result

I try this URL: subdomain.mynetwork.testo
Result is
ExtractResult(subdomain='subdomain.mynetwork', domain='testo', suffix='')
❎ Problem

And if I try this URL: subdomain.mynetwork.test
Result is
ExtractResult(subdomain='subdomain', domain='mynetwork', suffix='test')
✅ Correct

So tldextract does not correctly extract the TLD.
It's because the way tldextract works
tldextract relies on a list of known domain suffixes to determine which part of your URL is the domain and which part is the suffix.

When you use a URL with an unusual or non-standard suffix (like .testo in my example), tldextract may not recognize it as a valid suffix if it is not present in its list. As a result, it may misinterpret parts of the URL.

For this project I have modified the code of custom_func to split url on . and achieve my goal, but maybe we could refound this part to have a more accurate domain extraction

def get_domain_from_subdomain(subdomain):
	"""Get domain from subdomain.

	Args:
		subdomain (str): Subdomain name.

	Returns:
		str: Domain name.
	"""
	domain, suffix = extract_domain_and_suffix(subdomain)
	return '.'.join([domain, suffix])

def extract_domain_and_suffix(url):
	parts = url.split('.')

	if len(parts) >= 2:
		domain = parts[-2]
		suffix = parts[-1]
		return domain, suffix
	else:
		return None, None

Expected Behavior

Subdomains should have been imported as the TLD is the same as the target TLD

Steps To Reproduce

  1. Add a target TLD with an exotic suffix
  2. Initiate a scan and provide a list of subdomain to import with valid TLD
  3. Subdomains not imported

Environment

- reNgine: 2.0.2
- OS: Ubuntu 22.04
- Python: 3.10
- Docker Engine: 
- Docker Compose: 
- Browser: FF 120

Anything else?

No response
@psyray psyray added the bug Something isn't working label Apr 21, 2024
@psyray psyray changed the title bug: Subdomain import could fail if suffix more than 4 chars bug(ui): Subdomain import could fail if suffix more than 4 chars Jun 13, 2024
@psyray psyray added this to the v2.1.0 release milestone Jun 28, 2024
@psyray psyray self-assigned this Jul 7, 2024
@psyray psyray mentioned this issue Jul 8, 2024
Open
3 tasks
@psyray psyray mentioned this issue Aug 20, 2024
Merged
@psyray psyray linked a pull request Aug 20, 2024 that will close this issue
fix(scan): subdomain import with suffix more than 4 chars #147
Merged
@AnonymousWP
Copy link
Member

Fixed in #147.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@psyray psyray

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.1.0 release
Development

Successfully merging a pull request may close this issue.

fix(scan): subdomain import with suffix more than 4 chars Security-Tools-Alliance/rengine-ng
2 participants
@psyray @AnonymousWP