projectdiscovery/nuclei

Traffic characteristics are too obvious

hktalent opened this issue · 2 comments

@ehsandeep
Sorry, I found during my research on nuclei scanning defense that its traffic characteristics are very obvious and easy to identify and intercept. I wonder if there are any further measures to improve this issue, such as confusion? Do not use fixed headers?

sample


http/exposures/backups/zip-backup-files.yaml
GET /web.tar.bz2 HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip


http/exposures/configs/zend-config-file.yaml
GET /radio/application/configs/application.ini HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip


http/exposures/backups/zip-backup-files.yaml
GET /webapps.7z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip


http/exposures/backups/zip-backup-files.yaml
GET /web.z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip

And then you realize that the user agent is random, which is exactly what we expected

But by default

connection

accept

accept-language

accept-encoding

Their order and values are the same, making it easy to identify and intercept them

And there has been no introduction of AI technology yet

@ehsandeep
There are some suggestions, such as "/web. z" and "/radio/application/configurations/application. ini", to use some random encoding to ensure its dynamism

1. Randomly select characters for% xx forced encoding
/web.%7A

2. Randomly add some useless parameters, such as? xxx=random
/web.z?xx=3424

3. Randomly add # hash, for example: # abcxxx348
/web.z?xx=3424#abc3233
/web.z#abcsdfsfsf

4、Randomly add some useless headers
k1:3232ww3
x3:3988

This may become interference for AI recognition scanning and attacks

Of course, I know that with such encoding, it is not difficult to identify attacks (scans), indeed

At present, I haven't thought of any better way,

Perhaps we can try to infiltrate all scanning traffic into HTTP Smuggling, which can alleviate attack identification, WAF identification, and interception

Then I successfully deceived Nuclei, making it appear that there are all kinds of vulnerabilities and fragility here

On the contrary, I accurately identified the traffic characteristics of each yaml and could intercept and deceive them
image