* fix(interactsh): skip DNS lookups on interactsh domains
to prevent false positives.
Prevents nuclei from resolving interactsh domains
injected in Host headers, which would cause
self-interactions to be incorrectly reported as
matches.
Changes:
* Add `GetHostname()` method to `interactsh.Client`
to expose active server domain.
* Skip CNAME DNS lookups in
`(*http.Request).addCNameIfAvailable` when
hostname matches the
`(*interactsh.Client).GetHostname`.
Fixes#6613
Signed-off-by: Dwi Siswanto <git@dw1.io>
* fix(http): prevent false `interactshDomain` matches
Signed-off-by: Dwi Siswanto <git@dw1.io>
---------
Signed-off-by: Dwi Siswanto <git@dw1.io>
across multiple layers
Fixes timeout configuration conflicts where HTTP
requests would timeout prematurely despite
configured values in `@timeout` annotations or
`-timeout` flags.
RCA:
* `retryablehttp` pkg overriding with default
30s timeout.
* Custom timeouts not propagating to
`retryablehttp` layer.
* Multiple timeout layers not sync properly.
Changes:
* Propagate custom timeouts from `@timeout`
annotations to `retryablehttp` layer.
* Adjust 5-minute maximum cap to prevent DoS via
extremely large timeouts.
* Ensure `retryableHttpOptions.Timeout` respects
`ResponseHeaderTimeout`.
* Add comprehensive tests for timeout capping
behavior.
This allows templates to override global timeout
via `@timeout` annotations while preventing abuse
thru unreasonably large timeout values.
Fixes#6560.
Signed-off-by: Dwi Siswanto <git@dw1.io>
Fixes duplicate template storage & removes
unnecessary raw bytes caching.
Mem usage reduced by ~30%.
> 423MB => 299MB heap alloc.
* Use `StoreWithoutRaw()` to avoid storing raw
bytes.
* Remove duplicate storage in both caches.
* Remove ineffective raw bytes retrieval logic.
Benchmarks show 45% perf improvement with no
regressions.
Signed-off-by: Dwi Siswanto <git@dw1.io>
caused by shared context callbacks.
it was exposed after adding concurrent exec to
workflow processing and occurred when multiple
goroutines attempted to write to the same
`ctx.OnResult` callback field simultaneously,
causing data races during workflow template exec.
Signed-off-by: Dwi Siswanto <git@dw1.io>
add missing `go` keyword to anonymous funcs that
were intended to run as goroutines but were
executing synchronously instead.
Fixes#6492
Signed-off-by: Dwi Siswanto <git@dw1.io>
by:
* implement regex-based prompt matching for
password variants.
* add support for filling username prompts in
keyboard interactive challenges.
* improve debug logging with structured output.
this addresses issues with servers using
non-standard prompt formats and provides better
visibility into auth failures.
Signed-off-by: Dwi Siswanto <git@dw1.io>
