Skip to content

Rewrite vhost module as virtualhost with native blasthttp#2993

Open
liquidsec wants to merge 15 commits intoblasthttp-integration-cleanfrom
add-virtualhost-module
Open

Rewrite vhost module as virtualhost with native blasthttp#2993
liquidsec wants to merge 15 commits intoblasthttp-integration-cleanfrom
add-virtualhost-module

Conversation

@liquidsec
Copy link
Copy Markdown
Contributor

@liquidsec liquidsec commented Mar 27, 2026
edited
Loading

Summary

Complete rewrite of the vhost module (now renamed to virtualhost). The old module was a thin wrapper around the ffuf Go binary for Host header fuzzing. The new module is a native Python implementation using blasthttp for all HTTP requests, with significantly expanded detection capabilities.

Requires #2992 (blasthttp integration). Supersedes #2672.

What changed from the old vhost module

Architecture:

  • No longer inherits from ffuf or shells out to any external binary
  • All HTTP requests go through self.helpers.request() with resolve_ip for DNS pinning
  • Uses blasthttp cert_info for certificate SAN extraction
  • Response comparison via simhash instead of ffuf size/word/line filters

New detection capabilities:

  • Wildcard detection via single-character hostname mutation
  • Canary consistency re-verification before emitting results
  • Keyword-based wildcard filtering
  • Certificate SAN extraction via blasthttp cert_info
  • Interesting default content reporting
  • HTTPS virtual host support via SNI control with resolve_ip
  • Configurable simhash similarity threshold (default 0.8)

Event changes:

  • Produces VIRTUAL_HOST (was VHOST), DNS_NAME_UNVERIFIED, and HTTP_RESPONSE
  • Detailed descriptions with status code, title, size, IP, accessibility

Renamed: vhost -> virtualhost, VHOST -> VIRTUAL_HOST, deadly flag removed

@liquidsec liquidsec changed the title Add virtualhost module for virtual host discovery Rewrite vhost module as virtualhost with native blasthttp Mar 27, 2026
@liquidsec liquidsec mentioned this pull request Mar 27, 2026
Closed
@liquidsec
Add virtualhost module for virtual host discovery
fecac39 
Brute-forces virtual hosts via HTTP Host headers and HTTPS SNI,
with wildcard detection, canary consistency checks, keyword-based
filtering, certificate SAN extraction, and mutation generation.
Uses blasthttp resolve_ip for DNS pinning.
@liquidsec liquidsec force-pushed the add-virtualhost-module branch from 07dfd28 to fecac39 Compare March 27, 2026 18:49
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 27, 2026
edited
Loading

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs add-virtualhost-module (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 4.29ms 4.27ms -0.4%
Bloom Filter Large Scale Dns Brute Force 17.35ms 20.25ms +16.7% 🟡🟡 ⚠️
Large Closest Match Lookup 340.57ms 333.53ms -2.1%
Realistic Closest Match Workload 180.87ms 178.61ms -1.3%
Event Memory Medium Scan 1784 B/event 1784 B/event +0.0%
Event Memory Large Scan 1768 B/event 1768 B/event +0.0%
Event Validation Full Scan Startup Small Batch 374.31ms 379.02ms +1.3%
Event Validation Full Scan Startup Large Batch 523.49ms 525.40ms +0.4%
Make Event Autodetection Small 24.99ms 24.66ms -1.3%
Make Event Autodetection Large 254.02ms 250.94ms -1.2%
Make Event Explicit Types 10.63ms 10.46ms -1.6%
Excavate Single Thread Small 3.423s 3.364s -1.7%
Excavate Single Thread Large 8.737s 8.635s -1.2%
Excavate Parallel Tasks Small 3.652s 3.601s -1.4%
Excavate Parallel Tasks Large 6.077s 6.020s -0.9%
Is Ip Performance 3.18ms 3.17ms -0.1%
Make Ip Type Performance 11.30ms 11.29ms -0.2%
Mixed Ip Operations 4.53ms 4.44ms -1.9%
Memory Use Web Crawl 163.9 MB 170.5 MB +4.0%
Memory Use Subdomain Enum 19.4 MB 19.4 MB +0.0%
Scan Throughput 100 3.531s 3.992s +13.1% 🟡🟡 ⚠️
Scan Throughput 1000 27.092s 31.556s +16.5% 🟡🟡 ⚠️
Typical Queue Shuffle 64.41µs 61.51µs -4.5%
Priority Queue Shuffle 722.07µs 705.75µs -2.3%

🎯 Performance Summary

! 3 regressions ⚠️
  21 unchanged ✅

🔍 Significant Changes (>10%)

  • Bloom Filter Large Scale Dns Brute Force: 16.7% 🐌 slower
  • Scan Throughput 100: 13.1% 🐌 slower
  • Scan Throughput 1000: 16.5% 🐌 slower

🐍 Python Version 3.11.15

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.23490% with 132 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (e7e61a9) to head (c9ac70e).
⚠️ Report is 133 commits behind head on blasthttp-integration-clean.

Files with missing lines Patch % Lines
bbot/modules/virtualhost.py 73% 120 Missing ⚠️
...est_step_2/module_tests/test_module_virtualhost.py 98% 12 Missing ⚠️
Additional details and impacted files 
@@                      Coverage Diff                      @@
##           blasthttp-integration-clean   #2993     +/-   ##
=============================================================
- Coverage                           91%     91%     -0%     
=============================================================
  Files                              443     442      -1     
  Lines                            37927   38990   +1063     
=============================================================
+ Hits                             34316   35129    +813     
- Misses                            3611    3861    +250

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

liquidsec added 10 commits April 3, 2026 00:37
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-virtualhost-module
d9fc318
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-virtualhost-module
f6d0f8f
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-virtualhost-module
f06c300
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-virtualhost-module
ae7ccf2
@liquidsec
virtualhost: run simhash in CPU thread pool, drop stale CurlError refs
ff2db12 
Move compute_simhash off the process pool (run_in_executor_mp) onto the
CPU thread pool (run_in_executor_cpu) via a new _response_similarity
helper. Simhash work is short and inputs are truncated to ~3KB inside
compute_simhash, so pickle/IPC overhead and broken-pool risk outweigh
any parallelism win — and the recent 300s timeout on run_in_executor_mp
was orphaning _test_virtualhost tasks with uncaught TimeoutError.

Also remove stale 'CurlError'/'curl error' debug strings left over from
the curl-helper removal.
@liquidsec
simhash: update docstring to reflect cpu thread-pool usage
62ca1ca
@liquidsec
virtualhost: pass normalized_url (not event.data) to SAN analyzer for…
50c92f8 
… DictHostEvent compatibility
@liquidsec
virtualhost: use event.url in log/context strings, rename curl_virtua…
f1f85cb 
…lhost (vestigial name, no curl in body)
@liquidsec
drop dead CurlError class and stale curl reference in ssrf comment
4c14cbe
@liquidsec
virtualhost: add SAN-path test, virtualhost and virtualhost-heavy pre…
c9ac70e 
…sets
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liquidsec