audit: remove hardcoded researcher OOB callback subdomains#17
Open
serialstream0 wants to merge 3 commits into
Open
audit: remove hardcoded researcher OOB callback subdomains#17serialstream0 wants to merge 3 commits into
serialstream0 wants to merge 3 commits into
Conversation
added 3 commits
May 22, 2026 11:25
…cal/apachesolrlfissrf.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A recent static-analysis audit of the public nuclei-template ecosystem identified templates in this repository that hard-code a third-party out-of-band (OOB) callback subdomain — researcher-controlled
burpcollaborator.net,dnslog.cn, orngrok.ioendpoints — into the exploit payload, rather than using nuclei's{{interactsh-url}}per-scan placeholder.Impact. Every time a user successfully exploits a vulnerable target with one of these templates, the target's outbound DNS/HTTP signal reaches the third party who controls the hard-coded subdomain — silently telling that party which target was scanned and when. It is not a scanner-host compromise, but it is an OPSEC leak that propagates indefinitely with every byte-identical copy.
This PR's changes:
Replace the hard-coded URL with
{{interactsh-url}}(nuclei's per-scan, scanner-local OOB placeholder):critical/41 - T6.yml—https://bugbounty.requestcatcher.com/ssrf→https://{{interactsh-url}}critical/apachesolrlfissrf.yaml—https://bugbounty.requestcatcher.com/ssrf→https://{{interactsh-url}}high/blind_ssrf.yaml—https://9a7d-183-82-25-4.ngrok.io→https://{{interactsh-url}}These templates appear in this repository as byte-identical copies of upstream PoCs not authored here — the same patch is needed in many other community repositories.
A companion issue has been opened with the full file list and audit context.