Welcome to the November edition of the PD community newsletter - and Happy Thanksgiving to everyone who celebrated! 🦃
As we’re moving over into the holiday season, not only are we starting to look back on all the amazing work that both the ProjectDiscovery team and the wider community have completed this year, but we also haven’t stopped creating. Plenty of bug fixes and enhancements have been added to our tools and templates this month, along with the exciting announcement of some brand new tools for you to explore - scroll down through the newsletter to learn more!
We’re highlighting our brand new weekly YouTube series that offers tips and tricks you can try on our tools, as well as pinpointing some great messages on social media about the power of Nuclei and the cybersecurity community as a whole.
As always, we love to see new and old community members over on our GitHub and Discord. Dive in, introduce yourself and ask any questions that might be on your mind - the team are always here to help!
Release notes
nuclei v3.3.6
This month’s nuclei release brought some important changes and new features with version 3.3.6. Use of the -enable-self-contained or -esc flags is now required to load self-contained templates, and the -file flag must be used to enable loading file templates.
Analyzer support was added, as well as a time-based delay analyzer for DAST mode. Alongside this, a few bugs have been fixed, including issues with code protocol template execution, and a panic error that was occurring in the -stats option.
urlfinder v0.0.1 and v0.0.2
One of our newest tools, urlfinder, was released this month!
Alongside the initial release, our v0.0.2 update added VirusTotal as a new passive source, and fixed issues that were occurring with writing empty hosts to the output file.
tldfinder v0.0.2
The first update to another new tool, tldrfinder, was released this month.
Updates addressed issues with crtsh and other sources, and fixed output format in domain mode to return root domains. We’ve also added a filter to search private tlds only, and concurrent processing tld in dns mode.
Nuclei Templates
November stats
November saw two versions released for Nuclei Templates. Alongside bug fixes, corrections for false negatives and false positives, and a few new enhancements, we’ve also gained 190 new templates, 14 first-time contributors, and 78 new CVEs - amazing work from everyone involved!
Major highlights across both versions address vulnerabilities such as arbitrary file reading in Vendure, an improper authentication vulnerability in Apache Solr, and SAML Authentication Bypass in GitHub Enterprise.
We’ve also been able to fix several bugs, including an issue with time-based SQL injection flow, false positives for the appspec-yml-disclosure.yaml template, and refactoring the "Django Admin Panel" template.
Alongside this, we’re proud to announce some enhancements this month, such as the addition of templates for AWS services: EFS, Inspector2, GuardDuty, Firehose, DMS, EBS, ElastiCache, Route53, and RDS. We’ve also renamed ‘spring4shell-CVE-2022-22965.yaml’ to ‘CVE-2022-22965.yaml’ for consistency.
Huge thanks to our contributors on all of these releases - @kchason, @alban-stourbe-wmx, @iuliu8899, @s4e-io, @gumgum, @kim, @bolkv, @n0ming, @RoughBoy0723, @sujal, @johnk3r, @sttlr, @icarot, @y0no, @Splint3r7, @righettod, @rxerium, @kh4sh3i, @ArganexEmad, @philippedelteil, @Splint3r7, @JPG0mez, @Spling3r7, @pussycat0x, @mailler, @bhutch, @ffffffff0x, @gy741, @sorrowx3, and @nagli-wiz.
And, congratulations to our first-time contributors: @dmaciejak, @chengehe, @h41th, @soltanali0, @kairos-hk, @nqdung2002, @batutahibnu17, @vultza, @DuyVuong, @AV-IO, @aayush2561, @hnd3884, @s4hm4d, @00xSayDoo, @andymcao, @sshbounty, @mujtabachang, @zy9ard3 and @cxbt.
Other news
Highlights
Missed our new series of short tips and tricks over on YouTube? Check out November’s videos
Community member geeknik talks about his standing on the ProjectDiscovery leaderboards leading to a job offer!
Read on X
Some great advice on writing your first Nuclei template.
View on LinkedIn
The full potential of ProjectDiscovery tools such as Nuclei must be harnessed.
Learn more on X or BugCrowd
Join our community
Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers. Let's go!
Thanks,
The ProjectDiscovery Team
Have news you want to share with our community? Let us know