-

6 min read

If you're not writing custom Nuclei templates, you're missing out

If you're not writing custom Nuclei templates, you're missing out

With the increasing digital assets and risks of potential security threats, organizations, security teams, individual researchers and stakeholders need to adapt automation for fast scanning capabilities. Nuclei is an open-source vulnerability scanner that automates vulnerability scanning and allows integration of the tool in existing automation, reconnaissance and CI/CD pipelines.

Nuclei utilizes YAML-based templates that serve as the core of the nuclei engine and detect vulnerabilities based on the patterns and instructions provided in the template file. In addition, one can create custom templates to automate their vulnerability scanning process, retesting one vulnerability pattern across various assets, performing regression testing, automated reporting and whatnot.

In this article, we are going to explore the power of nuclei custom templates and how it is going to be beneficial for the users.

What are Nuclei Templates?

As mentioned earlier, the Nuclei templates serve as the fundamental building blocks for the nuclei scanner, which forms the backbone of the actual scanning engine. These templates are stored and organized within a repository, serving as a centralized hub for various templates. In a nutshell, the nuclei templates contain different matches, rules and conditions to detect potential vulnerabilities. Below is an example of a basic structure of a nuclei template:

YAML

1id: git-config
2
3info:
4  name: Git Config File
5  author: Ice3man
6  severity: medium
7  description: Searches for the pattern /.git/config on passed URLs.
8  
9http:
10  - method: GET
11    path:
12      - "{{BaseURL}}/.git/config"
13    matchers:
14      - type: word
15        words:
16          - "[core]"

ProjectDiscovery provides a repository of nuclei templates created by their team and contributed by the community. However, one can easily create custom templates following the template creation guide provided by ProjectDiscovery to automate their use cases. The manual for Nuclei Template can be found here: https://nuclei.projectdiscovery.io/templating-guide/

The Artistry of Custom Templates

While the pre-built repository of Nuclei templates offers a formidable arsenal of security checks, custom templates emerge as the pièce de résistance, empowering security practitioners to craft tailored security checks. So let’s discuss and dive deep to know why you should build and use custom nuclei templates to power up your testing.

Why Should You Be Using Custom Templates?

Targeted scanning

Nuclei custom templates are helpful for targeted scanning for a specific technology or vulnerability not already covered in the existing template library. For example, running all the nuclei templates is not very useful if a target organization uses an “nginx” server to power various applications.

Hence, one can create a simple nuclei workflow template to scan for issues specific to “nginx” only. Below is an example of creating a custom workflow template that will run only “nginx” specific checks once a server is detected as “nginx”.

YAML

1id: nginx-workflow
2
3info:
4  name: Nginx workflow
5  author: harsh
6  description: A simple workflow that runs all Nginx related nuclei templates on a given target.
7
8workflows:
9  - template: http/technologies/nginx/nginx-detect.yaml
10    subtemplates:
11      - tags: nginx

This becomes handy to automate the scanning even for the internal teams who already know their target technologies. As a result, it saves a lot of time and prioritizes identifying vulnerabilities. Similarly, creating custom templates to perform checks for specific vulnerabilities is possible.

Custom reporting

Nuclei custom templates can be used to perform customized reporting per the environment's requirement. For example, a security researcher may want to automate the reporting to a bug bounty platform wherein an internal security team may look to report a vulnerability in a tracking system such as Jira. Hence, with the help of a custom reporting template, a user can prioritize their workflow as per the requirements.

For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:

YAML

1# GitHub contains configuration options for GitHub issue tracker
2
3github: 
4  username: "$user"
5  owner: "$user"
6  token: "$token"
7  project-name: "testing-project"
8  issue-label: "Nuclei"

Adapting to Evolving Threats

The primary use case of using custom templates is adapting to evolving threats. One can create a template to test for a specific CVE, 0-Day or a novel attack vector for testing it across various targets. For example, an organization wants to ensure they are secure against a particular CVE, and its vulnerability research team can create a working exploit for the specific CVE. However, scanning all the hosts could be a challenge. Hence, they can make a nuclei template for the exploit and run it across all the known hosts to check what vulnerable hosts are. This could help organizations stay ahead of the threat actors, detect issues in real-time quickly and remediate them on priority.

A typical example of a CVE (CVE-2023-3231) template looks like the following:

YAML

1id: CVE-2023-32315
2
3info:
4  name: Administration Console Authentication Bypass in Openfire Console
5  author: vsh00t
6  severity: high
7  description: |
8    <redacted>
9  remediation: |
10    <redacted>
11  reference:
12    - https://github.com/advisories/GHSA-gw42-f939-fhvm
13    - https://nvd.nist.gov/vuln/detail/CVE-2023-32315
14  classification:
15    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
16    cvss-score: 8.6
17    cve-id: CVE-2023-32315
18    cwe-id: CWE-22
19  metadata:
20    max-request: 1
21    verified: true
22    shodan-query: title:"openfire"
23  tags: cve,cve2023,auth-bypass,openfire,console
24
25http:
26  - raw:
27      - |+
28        GET /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp HTTP/1.1
29        Host: {{Hostname}}
30        Origin: {{BaseURL}}
31
32    unsafe: true
33    matchers-condition: and
34    matchers:
35      - type: word
36        part: body
37        words:
38          - "apache"
39          - "java"
40          - "openfire"
41          - "jivesoftware"
42        condition: and
43
44      - type: status
45        status:
46          - 200

Building PoCs for vulnerabilities

Similarly to creating custom templates for the CVEs and novel attack vectors, it is possible to use nuclei templates to develop Proof of Concept (PoC) demonstrations that the triage team could use (if you are doing bug bounty) or by the developers & internal security teams (if you are reporting issues internally) to ease the overall reproduction efforts and reduce involved steps.

For example, suppose you have found a race condition vulnerability in your target system. In that case, you can create a custom nuclei template to demonstrate the race condition vulnerability with minimal reproduction efforts required. A template for race condition issues could look something like the following:

YAML

1id: race-condition-testing
2
3info:
4  name: Race Condition testing
5  author: pdteam
6  severity: info
7
8http:
9  - raw:
10      - |
11        POST /coupons HTTP/1.1
12        Host: {{Hostname}}
13        Pragma: no-cache
14        Cache-Control: no-cache, no-transform
15        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
16        Cookie: user_session=42332423342987567896
17
18        promo_code=20OFF        
19
20    race: true
21    race_count: 10
22
23    matchers:
24      - type: status
25        part: header
26        status:
27          - 200

Retesting vulnerabilities

When a vulnerability is found in one system, the same vulnerability could exist in other environments with the same code base or technology. Automating vulnerability detection using a custom nuclei template is feasible in such cases.

The custom template should include rules and conditions that target the specific vulnerability which was already identified. By defining appropriate HTTP requests, responses to look for, and patterns to match against, you can effectively identify the presence of the vulnerability.

For example, if cross-site scripting was identified in one WordPress system, a custom template like the following can be created to re-test it across different WordPress instances.

YAML

1id: wp-socialfit-xss
2
3info:
4  name: WordPress Plugin SocialFit - 'msg' Cross-Site Scripting
5  author: daffainfo
6  severity: medium
7  description: |
8    SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
9  reference: |
10    - https://www.exploit-db.com/exploits/37481
11  tags: wordpress,xss,wp-plugin
12
13requests:
14  - method: GET
15    path:
16      - '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%281%29%3C/script%3E'
17    matchers-condition: and
18    matchers:
19      - type: word
20        part: body
21        words:
22          - '<script>alert(1)</script>'
23      - type: word
24        part: header
25        words:
26          - "text/html"
27      - type: status
28        status:
29          - 200

Regression testing

The most important task one can perform is regression testing with the help of custom templates. The diagram below by ProjectDiscovery explains how nuclei custom templates can be used to perform regression testing.

For example, when a bug bounty hunter or a security researcher submits a vulnerability with a nuclei template or the internal team can create a custom template using the vulnerability report, the organization can add it to their regression testing repository.

Whenever a new build occurs, the security assessment includes running the regression test for identified vulnerabilities using the custom template. If the vulnerability is reproducible & detected, the developers can make the required changes. However, if the vulnerability is no longer seen, the code can be ready to ship in production.

Summary

We have learned how custom templates can be super helpful in multiple day-to-day cases. By leveraging the power of custom Nuclei templates, organizations and individuals can effectively enhance their security testing capabilities, optimize their workflows, and address-specific security needs. These templates provide a flexible and adaptable framework for proactive vulnerability detection and mitigation, ultimately bolstering the organization's security posture. If you are interested in learning to build custom templates yourself, you can follow this detailed guide: https://nuclei.projectdiscovery.io/templating-guide/

Want to learn more about the powerful things cooking in ProjectDiscovery’s kitchen? Make sure to subscribe to the newsletter.

Author: Harsh Bothra - @harshbothra_