You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the feature that you are requesting?
Some features used in the tool can leak information to attackers and open source intelligence such as the scan to URLscan.
Therefore the tool should provide a one-shot disclaimer and a disclaimer likely in the README.
I would also suggest adding the passive alternative of scan -> search.
Additional information
Scanning on URLscan can lead to expose sensitive documents, sessions. It can also tip attacker that a specific campaign and even a specific email address is valid, information that they can use in a more advanced campaign.
The text was updated successfully, but these errors were encountered:
There's an open PR that sets the URLScan option to private instead to address this issue. The other options currently do not push by default to the various tools.
Yep that's a good progress, but don't forget that private or public scan more than the URLScan.io public listing, both will also reach-out to attacker infrastructure therefore tipping the attacker about their on-going campaign/valid email address etc.
So I'd still leave a disclaimer for the first scan and likely the README.md for that feature.
What is the feature that you are requesting?
Some features used in the tool can leak information to attackers and open source intelligence such as the scan to URLscan.
Therefore the tool should provide a one-shot disclaimer and a disclaimer likely in the README.
I would also suggest adding the passive alternative of scan -> search.
Additional information
Scanning on URLscan can lead to expose sensitive documents, sessions. It can also tip attacker that a specific campaign and even a specific email address is valid, information that they can use in a more advanced campaign.
The text was updated successfully, but these errors were encountered: