Allow custom banner on attack domains

[DiogoAtWork]

I would expect to always get a custom banner on the index of all the subdomains when the -http-index is set. But that's not the current behavior. This is a solution that allow to keep the reflection of the inverted domain in the response and at the same time have the custom index page.

Use case:
I am trying to distinguish web clients, to do so I add a custom HTML that may do extra interactions depending on the client.

Summary by CodeRabbit

• New Features

  • Custom banners now support dynamic placeholder replacement for {REFLECTION} and {DOMAIN} values, enabling personalized banner content based on server configuration.

• Documentation

  • Updated documentation describing the {REFLECTION} and {DOMAIN} placeholder support in index file configuration, replacing with the inverted ID and server domain name respectively.

[coderabbitai]

Walkthrough

Documentation added for placeholder support ({REFLECTION} and {DOMAIN}) in index files. HTTP server handler refactored to perform placeholder substitution in custom banners at the root path and reorganize conditional logic for banner selection.

Changes

Cohort / File(s)	Change Summary
Documentation README.md	Documents support for {REFLECTION} (inverted ID) and {DOMAIN} (server domain) placeholder substitution in index files
Root Handler Logic pkg/server/http_server.go	Adds placeholder substitution ({REFLECTION}, {DOMAIN}) for custom banners at "/" path; refactors root path handling to prioritize custom banner with substitution over standard banner, simplifying conditional logic

Sequence Diagram

sequenceDiagram
    participant Client
    participant Handler
    participant Banner as Banner/Template
    
    Client->>Handler: GET /
    
    rect rgb(230, 245, 230)
    Note over Handler: New placeholder substitution
    alt Custom Banner exists
        Handler->>Banner: Replace {REFLECTION}, {DOMAIN}
        Banner-->>Handler: Substituted content
        Handler-->>Client: Custom banner response
    else No custom banner
        alt Reflection empty
            Handler-->>Client: Standard banner response
        else Reflection present
            Handler-->>Client: JSON/XML reflection response
        end
    end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• README documentation change is straightforward
• HTTP handler logic is focused and localized to root path handling
• Refactored conditionals follow a clear priority (custom banner with substitution → standard banner → reflection response)

Areas for attention:

• Verify placeholder substitution handles edge cases (missing placeholders, malformed input)
• Confirm the reorganized conditional flow covers all previous code paths and maintains backward compatibility

Poem

🐰 Behold! The banners now dance with grace,
Where {REFLECTION} finds its place,
And {DOMAIN} whispers secrets true,
Placeholders bloom in pathways new! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Allow custom banner on attack domains' accurately reflects the main change: enabling custom banner display on the index of subdomains via placeholder substitution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/server/http_server.go (1)

66-67: Incorrect variable used for logging custom index path.

Line 66 uses options.HTTPDirectory to compute the absolute path, but line 68 reads from options.HTTPIndex. The log message at line 67 will display the wrong path if these differ.

Apply this diff to fix the logging:

-		abs, _ := filepath.Abs(options.HTTPDirectory)
+		abs, _ := filepath.Abs(options.HTTPIndex)
 		gologger.Info().Msgf("Using custom server index: %s", abs)

Note: This is a pre-existing bug, not introduced by this PR, but worth fixing while working on the custom banner feature.

🧹 Nitpick comments (1)

pkg/server/http_server.go (1)

64-65: Update comment to mention both supported placeholders.

The comment should reflect that both {REFLECTION} and {DOMAIN} placeholders are now supported in the custom index file.

Apply this diff to update the comment:

 // If custom index, read the custom index file and serve it.
-// Supports {DOMAIN} placeholders.
+// Supports {REFLECTION} and {DOMAIN} placeholders.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bcbfdb9 and 5bcd0f3.

📒 Files selected for processing (2)

• README.md (1 hunks)
• pkg/server/http_server.go (1 hunks)

🔇 Additional comments (2)

README.md (1)

605-606: LGTM! Clear documentation of placeholder support.

The documentation accurately describes the new placeholder functionality for custom index files, explaining both {REFLECTION} (for inverted ID) and {DOMAIN} (for server domain name) substitution.

pkg/server/http_server.go (1)

280-284: LGTM! Placeholder substitution logic correctly implements the feature.

The refactored conditional logic correctly serves the custom banner with {REFLECTION} and {DOMAIN} placeholder substitution whenever a custom banner is configured. The fallback to the standard banner when no custom banner exists and reflection is empty preserves the expected behavior.

This changes the previous behavior where the custom banner was only shown when reflection was empty—now it's always shown when configured, with the reflection value substituted via the placeholder. This aligns with the PR objectives to distinguish web clients using custom HTML on attack domains.