With the increasing digital assets and risks of potential security threats, organizations, security teams, individual researchers and stakeholders need to adapt automation for fast scanning capabilities. Nuclei is an open-source vulnerability scanner that automates vulnerability scanning and allows integration of the tool in existing automation, reconnaissance and CI/CD pipelines.
Nuclei utilizes YAML-based templates that serve as the core of the nuclei engine and detect vulnerabilities based on the patterns and instructions provided in the template file. In addition, one can create custom templates to automate their vulnerability scanning process, retesting one vulnerability pattern across various assets, performing regression testing, automated reporting and whatnot.
In this article, we are going to explore the power of nuclei custom templates and how it is going to be beneficial for the users.
What are Nuclei Templates?
As mentioned earlier, the Nuclei templates serve as the fundamental building blocks for the nuclei scanner, which forms the backbone of the actual scanning engine. These templates are stored and organized within a repository, serving as a centralized hub for various templates. In a nutshell, the nuclei templates contain different matches, rules and conditions to detect potential vulnerabilities. Below is an example of a basic structure of a nuclei template:
YAML
1id: git-config23info:4name: Git Config File5author: Ice3man6severity: medium7description: Searches for the pattern /.git/config on passed URLs.89http:10- method: GET11path:12- "{{BaseURL}}/.git/config"13matchers:14- type: word15words:16- "[core]"
ProjectDiscovery provides a repository of nuclei templates created by their team and contributed by the community. However, one can easily create custom templates following the template creation guide provided by ProjectDiscovery to automate their use cases. The manual for Nuclei Template can be found here: https://nuclei.projectdiscovery.io/templating-guide/
The Artistry of Custom Templates
While the pre-built repository of Nuclei templates offers a formidable arsenal of security checks, custom templates emerge as the pièce de résistance, empowering security practitioners to craft tailored security checks. So let’s discuss and dive deep to know why you should build and use custom nuclei templates to power up your testing.
Why Should You Be Using Custom Templates?
Targeted scanning
Nuclei custom templates are helpful for targeted scanning for a specific technology or vulnerability not already covered in the existing template library. For example, running all the nuclei templates is not very useful if a target organization uses an “nginx” server to power various applications.
Hence, one can create a simple nuclei workflow template to scan for issues specific to “nginx” only. Below is an example of creating a custom workflow template that will run only “nginx” specific checks once a server is detected as “nginx”.
YAML
1id: nginx-workflow23info:4name: Nginx workflow5author: harsh6description: A simple workflow that runs all Nginx related nuclei templates on a given target.78workflows:9- template: http/technologies/nginx/nginx-detect.yaml10subtemplates:11- tags: nginx
This becomes handy to automate the scanning even for the internal teams who already know their target technologies. As a result, it saves a lot of time and prioritizes identifying vulnerabilities. Similarly, creating custom templates to perform checks for specific vulnerabilities is possible.
Custom reporting
Nuclei custom templates can be used to perform customized reporting per the environment's requirement. For example, a security researcher may want to automate the reporting to a bug bounty platform wherein an internal security team may look to report a vulnerability in a tracking system such as Jira. Hence, with the help of a custom reporting template, a user can prioritize their workflow as per the requirements.
For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:
YAML
1# GitHub contains configuration options for GitHub issue tracker23github:4username: "$user"5owner: "$user"6token: "$token"7project-name: "testing-project"8issue-label: "Nuclei"
Adapting to Evolving Threats
The primary use case of using custom templates is adapting to evolving threats. One can create a template to test for a specific CVE, 0-Day or a novel attack vector for testing it across various targets. For example, an organization wants to ensure they are secure against a particular CVE, and its vulnerability research team can create a working exploit for the specific CVE. However, scanning all the hosts could be a challenge. Hence, they can make a nuclei template for the exploit and run it across all the known hosts to check what vulnerable hosts are. This could help organizations stay ahead of the threat actors, detect issues in real-time quickly and remediate them on priority.
A typical example of a CVE (CVE-2023-3231) template looks like the following:
YAML
1id: CVE-2023-3231523info:4name: Administration Console Authentication Bypass in Openfire Console5author: vsh00t6severity: high7description: |8<redacted>9remediation: |10<redacted>11reference:12- https://github.com/advisories/GHSA-gw42-f939-fhvm13- https://nvd.nist.gov/vuln/detail/CVE-2023-3231514classification:15cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L16cvss-score: 8.617cve-id: CVE-2023-3231518cwe-id: CWE-2219metadata:20max-request: 121verified: true22shodan-query: title:"openfire"23tags: cve,cve2023,auth-bypass,openfire,console2425http:26- raw:27- |+28GET /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp HTTP/1.129Host: {{Hostname}}30Origin: {{BaseURL}}3132unsafe: true33matchers-condition: and34matchers:35- type: word36part: body37words:38- "apache"39- "java"40- "openfire"41- "jivesoftware"42condition: and4344- type: status45status:46- 200
Building PoCs for vulnerabilities
Similarly to creating custom templates for the CVEs and novel attack vectors, it is possible to use nuclei templates to develop Proof of Concept (PoC) demonstrations that the triage team could use (if you are doing bug bounty) or by the developers & internal security teams (if you are reporting issues internally) to ease the overall reproduction efforts and reduce involved steps.
For example, suppose you have found a race condition vulnerability in your target system. In that case, you can create a custom nuclei template to demonstrate the race condition vulnerability with minimal reproduction efforts required. A template for race condition issues could look something like the following:
YAML
1id: race-condition-testing23info:4name: Race Condition testing5author: pdteam6severity: info78http:9- raw:10- |11POST /coupons HTTP/1.112Host: {{Hostname}}13Pragma: no-cache14Cache-Control: no-cache, no-transform15User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.016Cookie: user_session=423324233429875678961718promo_code=20OFF1920race: true21race_count: 102223matchers:24- type: status25part: header26status:27- 200
Retesting vulnerabilities
When a vulnerability is found in one system, the same vulnerability could exist in other environments with the same code base or technology. Automating vulnerability detection using a custom nuclei template is feasible in such cases.
The custom template should include rules and conditions that target the specific vulnerability which was already identified. By defining appropriate HTTP requests, responses to look for, and patterns to match against, you can effectively identify the presence of the vulnerability.
For example, if cross-site scripting was identified in one WordPress system, a custom template like the following can be created to re-test it across different WordPress instances.
YAML
1id: wp-socialfit-xss23info:4name: WordPress Plugin SocialFit - 'msg' Cross-Site Scripting5author: daffainfo6severity: medium7description: |8SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.9reference: |10- https://www.exploit-db.com/exploits/3748111tags: wordpress,xss,wp-plugin1213requests:14- method: GET15path:16- '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%281%29%3C/script%3E'17matchers-condition: and18matchers:19- type: word20part: body21words:22- '<script>alert(1)</script>'23- type: word24part: header25words:26- "text/html"27- type: status28status:29- 200
Regression testing
The most important task one can perform is regression testing with the help of custom templates. The diagram below by ProjectDiscovery explains how nuclei custom templates can be used to perform regression testing.
For example, when a bug bounty hunter or a security researcher submits a vulnerability with a nuclei template or the internal team can create a custom template using the vulnerability report, the organization can add it to their regression testing repository.
Whenever a new build occurs, the security assessment includes running the regression test for identified vulnerabilities using the custom template. If the vulnerability is reproducible & detected, the developers can make the required changes. However, if the vulnerability is no longer seen, the code can be ready to ship in production.
Summary
We have learned how custom templates can be super helpful in multiple day-to-day cases. By leveraging the power of custom Nuclei templates, organizations and individuals can effectively enhance their security testing capabilities, optimize their workflows, and address-specific security needs. These templates provide a flexible and adaptable framework for proactive vulnerability detection and mitigation, ultimately bolstering the organization's security posture. If you are interested in learning to build custom templates yourself, you can follow this detailed guide: https://nuclei.projectdiscovery.io/templating-guide/
Want to learn more about the powerful things cooking in ProjectDiscovery’s kitchen? Make sure to subscribe to the newsletter.
Author: Harsh Bothra - @harshbothra_