38 KiB
Executable File
Template
Template is a YAML input file which defines all the requests and other metadata for a template.
id
string
ID is the unique id for the template.
Good IDs
A good ID uniquely identifies what the requests in the template
are doing. Let's say you have a template that identifies a git-config
file on the webservers, a good name would be git-config-exposure
. Another
example name is azure-apps-nxdomain-takeover
.
Examples:
# ID Example
id: CVE-2021-19520
info
model.Info
Info contains metadata information about the template.
Examples:
info:
name: Argument Injection in Ruby Dragonfly
author: 0xspara
tags: cve,cve2021,rce,ruby
reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
severity: high
requests
[]http.Request
Requests contains the http request to make in the template.
Examples:
requests:
matchers:
- type: word
words:
- '[core]'
- type: dsl
condition: and
dsl:
- '!contains(tolower(body), ''<html'')'
- '!contains(tolower(body), ''<body'')'
- type: status
status:
- 200
matchers-condition: and
path:
- '{{BaseURL}}/.git/config'
method: GET
dns
[]dns.Request
DNS contains the dns request to make in the template
Examples:
dns:
extractors:
- type: regex
regex:
- ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
- ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
name: '{{FQDN}}'
type: CNAME
class: inet
retries: 2
recursion: true
file
[]file.Request
File contains the file request to make in the template
Examples:
file:
extractors:
- type: regex
regex:
- amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
extensions:
- all
network
[]network.Request
Network contains the network request to make in the template
Examples:
network:
host:
- '{{Hostname}}'
- '{{Hostname}}:2181'
inputs:
- data: "envi\r\nquit\r\n"
read-size: 2048
matchers:
- type: word
words:
- zookeeper.version
headless
[]headless.Request
Headless contains the headless request to make in the template.
workflows
[]workflows.WorkflowTemplate
Workflows is a list of workflows to execute for a template.
model.Info
Info contains metadata information about a template
Appears in:
Template.info
name: Argument Injection in Ruby Dragonfly
author: 0xspara
tags: cve,cve2021,rce,ruby
reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
severity: high
name
string
Name should be good short summary that identifies what the template does.
Examples:
name: bower.json file disclosure
name: Nagios Default Credentials Check
author
stringslice.StringSlice
Author of the template.
Multiple values can also be specified separated by commas.
Examples:
author: <username>
Any tags for the template.
Multiple values can also be specified separated by commas.
Examples:
# Example tags
tags: cve,cve2019,grafana,auth-bypass,dos
description
string
Description of the template.
You can go in-depth here on what the template actually does.
Examples:
description: Bower is a package manager which stores package information in the bower.json file
description: Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations
reference
stringslice.StringSlice
References for the template.
This should contain links relevant to the template.
Examples:
reference:
- https://github.com/strapi/strapi
- https://github.com/getgrav/grav
severity
severity.Holder
Severity of the template.
Valid values:
-
info
-
low
-
medium
-
high
-
critical
metadata
map[string]string
Metadata of the template.
Examples:
metadata:
customField1: customValue1
classification
model.Classification
Classification contains classification information about the template.
remediation
string
Remediation steps for the template.
You can go in-depth here on how to mitigate the problem found by this template.
Examples:
remediation: Change the default administrative username and password of Apache ActiveMQ by editing the file jetty-realm.properties
stringslice.StringSlice
StringSlice represents a single (in-lined) or multiple string value(s). The unmarshaller does not automatically convert in-lined strings to []string, hence the interface{} type is required.
Appears in:
-
model.Info.author
-
model.Info.tags
-
model.Info.reference
-
model.Classification.cve-id
-
model.Classification.cwe-id
<username>
# Example tags
cve,cve2019,grafana,auth-bypass,dos
- https://github.com/strapi/strapi
- https://github.com/getgrav/grav
CVE-2020-14420
CWE-22
severity.Holder
Holder holds a Severity type. Required for un/marshalling purposes
Appears in:
model.Info.severity
model.Classification
Appears in:
model.Info.classification
cve-id
stringslice.StringSlice
CVE ID for the template
Examples:
cve-id: CVE-2020-14420
cwe-id
stringslice.StringSlice
CWE ID for the template.
Examples:
cwe-id: CWE-22
cvss-metrics
string
CVSS Metrics for the template.
Examples:
cvss-metrics: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score
float64
CVSS Score for the template.
Examples:
cvss-score: "9.8"
http.Request
Request contains a http request to be made from a template
Appears in:
Template.requests
matchers:
- type: word
words:
- '[core]'
- type: dsl
condition: and
dsl:
- '!contains(tolower(body), ''<html'')'
- '!contains(tolower(body), ''<body'')'
- type: status
status:
- 200
matchers-condition: and
path:
- '{{BaseURL}}/.git/config'
method: GET
matchers
[]matchers.Matcher
Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.
Multiple matchers can be combined with matcher-condition
flag
which accepts either and
or or
as argument.
extractors
[]extractors.Extractor
Extractors contains the extraction mechanism for the request to identify and extract parts of the response.
matchers-condition
string
MatchersCondition is the condition between the matchers. Default is OR.
Valid values:
-
and
-
or
path
[]string
Path contains the path/s for the HTTP requests. It supports variables as placeholders.
Examples:
# Some example path values
path:
- '{{BaseURL}}'
- '{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions'
raw
[]string
Raw contains HTTP Requests in Raw format.
Examples:
# Some example raw requests
raw:
- |-
GET /etc/passwd HTTP/1.1
Host:
Content-Length: 4
- |-
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Content-Length: 1
Connection: close
echo
echo
cat /etc/passwd 2>&1
id
string
ID is the optional id of the request
name
string
Name is the optional name of the request.
If a name is specified, all the named request in a template can be matched upon in a combined manner allowing multirequest based matchers.
attack
string
Attack is the type of payload combinations to perform.
Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.
Valid values:
-
sniper
-
pitchfork
-
clusterbomb
method
string
Method is the HTTP Request Method.
Valid values:
-
GET
-
HEAD
-
POST
-
PUT
-
DELETE
-
CONNECT
-
OPTIONS
-
TRACE
-
PATCH
-
PURGE
body
string
Body is an optional parameter which contains HTTP Request body.
Examples:
# Same Body for a Login POST request
body: username=test&password=test
payloads
map[string]interface{}
Payloads contains any payloads for the current request.
Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.
headers
map[string]string
Headers contains HTTP Headers to send with the request.
Examples:
headers:
Any-Header: Any-Value
Content-Length: "1"
Content-Type: application/x-www-form-urlencoded
race_count
int
RaceCount is the number of times to send a request in Race Condition Attack.
Examples:
# Send a request 5 times
race_count: 5
max-redirects
int
MaxRedirects is the maximum number of redirects that should be followed.
Examples:
# Follow up to 5 redirects
max-redirects: 5
pipeline-concurrent-connections
int
PipelineConcurrentConnections is number of connections to create during pipelining.
Examples:
# Create 40 concurrent connections
pipeline-concurrent-connections: 40
pipeline-requests-per-connection
int
PipelineRequestsPerConnection is number of requests to send per connection when pipelining.
Examples:
# Send 100 requests per pipeline connection
pipeline-requests-per-connection: 100
threads
int
Threads specifies number of threads to use sending requests. This enables Connection Pooling.
Connection: Close attribute must not be used in request while using threads flag, otherwise pooling will fail and engine will continue to close connections after requests.
Examples:
# Send requests using 10 concurrent threads
threads: 10
max-size
int
MaxSize is the maximum size of http response body to read in bytes.
Examples:
# Read max 2048 bytes of the response
max-size: 2048
cookie-reuse
bool
CookieReuse is an optional setting that enables cookie reuse for all requests defined in raw section.
redirects
bool
Redirects specifies whether redirects should be followed by the HTTP Client.
This can be used in conjunction with max-redirects
to control the HTTP request redirects.
pipeline
bool
Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining
All requests must be idempotent (GET/POST). This can be used for race conditions/billions requests.
unsafe
bool
Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests.
This uses the rawhttp engine to achieve complete control over the request, with no normalization performed by the client.
race
bool
Race determines if all the request have to be attempted at the same time (Race Condition)
The actual number of requests that will be sent is determined by the race_count
field.
req-condition
bool
ReqCondition automatically assigns numbers to requests and preserves their history.
This allows matching on them later for multi-request conditions.
stop-at-first-match
bool
StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.
matchers.Matcher
Matcher is used to match a part in the output from a protocol.
Appears in:
-
http.Request.matchers
-
dns.Request.matchers
-
file.Request.matchers
-
network.Request.matchers
-
headless.Request.matchers
type
string
Type is the type of the matcher.
Valid values:
-
status
-
size
-
word
-
regex
-
binary
-
dsl
condition
string
Condition is the optional condition between two matcher variables. By default, the condition is assumed to be OR.
Valid values:
-
and
-
or
part
string
Part is the part of the request response to match data from.
Each protocol exposes a lot of different parts which are well documented in docs for each request type.
Examples:
part: body
part: raw
negative
bool
Negative specifies if the match should be reversed It will only match if the condition is not true.
name
string
Name of the matcher. Name should be lowercase and must not contain spaces or underscores (_).
Examples:
name: cookie-matcher
status
[]int
Status are the acceptable status codes for the response.
Examples:
status:
- 200
- 302
size
[]int
Size is the acceptable size for the response
Examples:
size:
- 3029
- 2042
words
[]string
Words contains word patterns required to be present in the response part.
Examples:
# Match for outlook mail protection domain
words:
- mail.protection.outlook.com
# Match for application/json in response headers
words:
- application/json
regex
[]string
Regex contains Regular Expression patterns required to be present in the response part.
Examples:
# Match for Linkerd Service via Regex
regex:
- (?mi)^Via\\s*?:.*?linkerd.*$
# Match for Open Redirect via Location header
regex:
- (?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)example\\.com.*$
binary
[]string
Binary are the binary patterns required to be present in the response part.
Examples:
# Match for Springboot Heapdump Actuator "JAVA PROFILE", "HPROF", "Gunzip magic byte"
binary:
- 4a4156412050524f46494c45
- 4850524f46
- 1f8b080000000000
# Match for 7zip files
binary:
- 377ABCAF271C
dsl
[]string
DSL are the dsl expressions that will be evaluated as part of nuclei matching rules. A list of these helper functions are available here.
Examples:
# DSL Matcher for package.json file
dsl:
- contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200
# DSL Matcher for missing strict transport security header
dsl:
- '!contains(tolower(all_headers), ''''strict-transport-security'''')'
encoding
string
Encoding specifies the encoding for the words field if any.
Valid values:
hex
extractors.Extractor
Extractor is used to extract part of response using a regex.
Appears in:
-
http.Request.extractors
-
dns.Request.extractors
-
file.Request.extractors
-
network.Request.extractors
-
headless.Request.extractors
name
string
Name of the extractor. Name should be lowercase and must not contain spaces or underscores (_).
Examples:
name: cookie-extractor
type
string
Type is the type of the extractor.
Valid values:
-
regex
-
kval
-
json
-
xpath
regex
[]string
Regex contains the regular expression patterns to extract from a part.
Go regex engine does not support lookaheads or lookbehinds, so as a result they are also not supported in nuclei.
Examples:
# Braintree Access Token Regex
regex:
- access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}
# Wordpress Author Extraction regex
regex:
- Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>
group
int
Group specifies a numbered group to extract from the regex.
Examples:
# Example Regex Group
group: 1
kval
[]string
description: | kval contains the key-value pairs present in the HTTP response header. kval extractor can be used to extract HTTP response header and cookie key-value pairs. kval extractor inputs are case-insensitive, and does not support dash (-) in input which can replaced with underscores (_) For example, Content-Type should be replaced with content_type
A list of supported parts is available in docs for request types. examples:
- name: Extract Server Header From HTTP Response value: > []string{"server"}
- name: Extracting value of PHPSESSID Cookie value: > []string{"phpsessid"}
- name: Extracting value of Content-Type Cookie value: > []string{"content_type"}
json
[]string
JSON allows using jq-style syntax to extract items from json response
Examples:
json:
- .[] | .id
json:
- .batters | .batter | .[] | .id
xpath
[]string
XPath allows using xpath expressions to extract items from html response
Examples:
xpath:
- /html/body/div/p[2]/a
attribute
string
Attribute is an optional attribute to extract from response XPath.
Examples:
attribute: href
part
string
Part is the part of the request response to extract data from.
Each protocol exposes a lot of different parts which are well documented in docs for each request type.
Examples:
part: body
part: raw
internal
bool
Internal, when set to true will allow using the value extracted in the next request for some protocols (like HTTP).
dns.Request
Request contains a DNS protocol request to be made from a template
Appears in:
Template.dns
extractors:
- type: regex
regex:
- ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
- ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
name: '{{FQDN}}'
type: CNAME
class: inet
retries: 2
recursion: true
matchers
[]matchers.Matcher
Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.
Multiple matchers can be combined with matcher-condition
flag
which accepts either and
or or
as argument.
extractors
[]extractors.Extractor
Extractors contains the extraction mechanism for the request to identify and extract parts of the response.
matchers-condition
string
MatchersCondition is the condition between the matchers. Default is OR.
Valid values:
-
and
-
or
id
string
ID is the optional id of the request
name
string
Name is the Hostname to make DNS request for.
Generally, it is set to {{FQDN}} which is the domain we get from input.
Examples:
name: '{{FQDN}}'
type
string
Type is the type of DNS request to make.
Valid values:
-
A
-
NS
-
DS
-
CNAME
-
SOA
-
PTR
-
MX
-
TXT
-
AAAA
class
string
Class is the class of the DNS request.
Usually it's enough to just leave it as INET.
Valid values:
-
inet
-
csnet
-
chaos
-
hesiod
-
none
-
any
retries
int
Retries is the number of retries for the DNS request
Examples:
# Use a retry of 3 to 5 generally
retries: 5
recursion
bool
Recursion determines if resolver should recurse all records to get fresh results.
file.Request
Request contains a File matching mechanism for local disk operations.
Appears in:
Template.file
extractors:
- type: regex
regex:
- amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
extensions:
- all
matchers
[]matchers.Matcher
Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.
Multiple matchers can be combined with matcher-condition
flag
which accepts either and
or or
as argument.
extractors
[]extractors.Extractor
Extractors contains the extraction mechanism for the request to identify and extract parts of the response.
matchers-condition
string
MatchersCondition is the condition between the matchers. Default is OR.
Valid values:
-
and
-
or
extensions
[]string
Extensions is the list of extensions to perform matching on.
Examples:
extensions:
- .txt
- .go
- .json
denylist
[]string
ExtensionDenylist is the list of file extensions to deny during matching.
By default, it contains some non-interesting extensions that are hardcoded in nuclei.
Examples:
denylist:
- .avi
- .mov
- .mp3
id
string
ID is the optional id of the request
max-size
int
MaxSize is the maximum size of the file to run request on.
By default, nuclei will process 5 MB files and not go more than that. It can be set to much lower or higher depending on use.
Examples:
max-size: 2048
no-recursive
bool
NoRecursive specifies whether to not do recursive checks if folders are provided.
network.Request
Request contains a Network protocol request to be made from a template
Appears in:
Template.network
host:
- '{{Hostname}}'
- '{{Hostname}}:2181'
inputs:
- data: "envi\r\nquit\r\n"
read-size: 2048
matchers:
- type: word
words:
- zookeeper.version
id
string
ID is the optional id of the request
host
[]string
Host to send network requests to.
Usually it's set to {{Hostname}}
. If you want to enable TLS for
TCP Connection, you can use tls://{{Hostname}}
.
Examples:
host:
- '{{Hostname}}'
attack
string
Attack is the type of payload combinations to perform.
Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.
Valid values:
-
sniper
-
pitchfork
-
clusterbomb
payloads
map[string]interface{}
Payloads contains any payloads for the current request.
Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.
inputs
[]network.Input
Inputs contains inputs for the network socket
read-size
int
ReadSize is the size of response to read at the end
Default value for read-size is 1024.
Examples:
read-size: 2048
matchers
[]matchers.Matcher
Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.
Multiple matchers can be combined with matcher-condition
flag
which accepts either and
or or
as argument.
extractors
[]extractors.Extractor
Extractors contains the extraction mechanism for the request to identify and extract parts of the response.
matchers-condition
string
MatchersCondition is the condition between the matchers. Default is OR.
Valid values:
-
and
-
or
network.Input
Appears in:
network.Request.inputs
data
string
Data is the data to send as the input.
It supports DSL Helper Functions as well as normal expressions.
Examples:
data: TEST
data: hex_decode('50494e47')
type
string
Type is the type of input specified in data
field.
Default value is text, but hex can be used for hex formatted data.
Valid values:
-
hex
-
text
read
int
Read is the number of bytes to read from socket.
This can be used for protocols which expect an immediate response. You can
read and write responses one after another and evetually perform matching
on every data captured with name
attribute.
The network docs highlight more on how to do this.
Examples:
read: 1024
name
string
Name is the optional name of the data read to provide matching on.
Examples:
name: prefix
headless.Request
Request contains a Headless protocol request to be made from a template
Appears in:
Template.headless
id
string
ID is the optional id of the request
steps
[]engine.Action
Steps is the list of actions to run for headless request
matchers
[]matchers.Matcher
Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.
Multiple matchers can be combined with matcher-condition
flag
which accepts either and
or or
as argument.
extractors
[]extractors.Extractor
Extractors contains the extraction mechanism for the request to identify and extract parts of the response.
matchers-condition
string
MatchersCondition is the condition between the matchers. Default is OR.
Valid values:
-
and
-
or
engine.Action
Action is an action taken by the browser to reach a navigation
Each step that the browser executes is an action. Most navigations usually start from the ActionLoadURL event, and further navigations are discovered on the found page. We also keep track and only scrape new navigation from pages we haven't crawled yet.
Appears in:
headless.Request.steps
args
map[string]string
Args contain arguments for the headless action. Per action arguments are described in detail here.
name
string
Name is the name assigned to the headless action.
This can be used to execute code, for instance in browser DOM using script action, and get the result in a variable which can be matched upon by nuclei. An Example template here.
description
string
Description is the optional description of the headless action
action
string
Action is the type of the action to perform.
Valid values:
-
navigate
-
script
-
click
-
rightclick
-
text
-
screenshot
-
time
-
select
-
files
-
waitload
-
getresource
-
extract
-
setmethod
-
addheader
-
setheader
-
deleteheader
-
setbody
-
waitevent
-
keyboard
-
debug
-
sleep
workflows.WorkflowTemplate
Appears in:
-
Template.workflows
-
workflows.WorkflowTemplate.subtemplates
-
workflows.Matcher.subtemplates
template
string
Template is a single template or directory to execute as part of workflow.
Examples:
# A single template
template: dns/worksites-detection.yaml
# A template directory
template: misconfigurations/aem
Tags to run templates based on.
matchers
[]workflows.Matcher
Matchers perform name based matching to run subtemplates for a workflow.
subtemplates
[]workflows.WorkflowTemplate
Subtemplates are run if the template
field Template matches.
workflows.Matcher
Appears in:
workflows.WorkflowTemplate.matchers
name
string
Name is the name of the item to match.
subtemplates
[]workflows.WorkflowTemplate
Subtemplates are run if the name of matcher matches.