Table of Contents
Authors
The latest nuclei release has been a pretty big one with lots of new features added as well as bug fixes to existing code base. Significant new additions have been made in fuzzing as well templating capabilities of nuclei.
Non-RFC Compliant Requests
Earlier versions of nuclei used the base Go HTTP library. The requests were strictly validated and non-spec compliant requests were dropped. The new release comes with an unsafe attribute using our rawhttp library which allows sending any kind of malformed requests to detect interesting behaviour and allow unlimited control over the sent requests.
Some examples of the type of requests you can send with nuclei unsafe requests are-
- HTTP Smuggling Requests
- CRLF Requests with Malformed Characters
- Custom Host Header Requests
- Invalid Request Formats, non-standard HTTP Methods, etc.
These examples are just scratching the surface of what’s possible with rawhttp, think complete control over the requests!
HTTP Smuggling
HTTP Smuggling is a class of Web-Attacks recently made popular by Portswigger’s Research into the topic. For an in-depth overview, please visit the article linked above.
In the open source space, detecting http smuggling is difficult particularly due to the requests for detection being malformed by nature. Nuclei is able to reliably detect HTTP Smuggling vulnerabilities utilising the rawhttp engine.
The most basic example of a HTTP Smuggling vulnerability is CL.TE Smuggling. An example template to detect a CE.TL HTTP Smuggling vulnerability is provided below using the unsafe: true attribute for rawhttp based requests.
yaml
1id: CL.TE-http-smuggling23info:4name: HTTP request smuggling, basic CL.TE vulnerability5author: pdteam6severity: info7lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te89requests:10- raw:11- |12POST / HTTP/1.113Host: {{Hostname}}14Connection: keep-alive15Content-Type: application/x-www-form-urlencoded16Content-Length: 617Transfer-Encoding: chunked181902021G22- |23POST / HTTP/1.124Host: {{Hostname}}25Connection: keep-alive26Content-Type: application/x-www-form-urlencoded27Content-Length: 628Transfer-Encoding: chunked293003132G3334unsafe: true35matchers:36- type: word37words:38- 'Unrecognized method GPOST'
More examples are available in nuclei-docs for smuggling templates.
Other examples
Another example is Host header attacks. These can now be detected very reliably using nuclei with the new rawhttp addition. The example below shows a template for detecting a host header based SSRF from portswigger labs.
yaml
1id: host-header-ssrf23info:4name: Flawed Request Parsing Host Header SSRF5author: pdteam6severity: info78requests:9- raw:10- |11GET https://your-lab-id.web-security-academy.net/12Host: your-collaborator-id.burpcollaborator.net13unsafe: true14...
Race Condition
Race Conditions are another class of bugs not easily automated via traditional tooling. Burp Suite introduced a Gate mechanism to Turbo Intruder where all the bytes for all the requests are sent expect the last one at once which is only sent together for all requests synchronising the send event.
Below is an example template where the same request is repeated for 15 times using the gate logic.
yaml
1id: race-condition-testing23info:4name: Race condition testing5author: pdteam6severity: info78requests:9- raw:10- |11POST /coupons HTTP/1.112Host: {{Hostname}}13Pragma: no-cache14Cache-Control: no-cache, no-transform15User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.01617promo_code=20OFF1819race: true20race_count: 152122matchers:23- type: status24part: header25status:26- 200
Now test for race conditions in web applications with as simple as this template.
Advanced Fuzzing Support
We’ve enriched nuclei to allow advanced fuzzing of web servers. Users can now use multiple options to tune HTTP fuzzing workflows.
HTTP Pipelining
HTTP Pipelining support has been added which allows multiple HTTP requests to be sent on the same connection inspired from [https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
An example template demonstrating pipelining capabilities of nuclei has been provided below-
yaml
1id: pipeline-testing2info:3name: pipeline testing4author: pdteam5severity: info67requests:89- payloads:10path: path_wordlist.txt1112attack: sniper13unsafe: true14pipeline: true15pipeline-max-connections: 4016pipeline-max-workers: 250001718raw:19- |20GET /§path§ HTTP/1.121Host: {{Hostname}}22User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.023Accept: application/json, text/plain, */*24Accept-Language: en-US,en;q=0.525Referer: {{BaseURL}}26Connection: keep-alive2728matchers:29- type: status30part: header31status:32- 200
HTTP Connection Pooling
While the earlier versions of nuclei did not do connection pooling, users can now configure templates to either use HTTP connection pooling or not. This allows for faster scanning based on requirement. An example template for this new capability-
yaml
1id: fuzzing-example2info:3name: Connection pooling example4author: pdteam5severity: info67requests:8- payloads:9password: password.txt1011threads: 4012attack: sniper1314raw:15- |16raw:17- |18GET /protected HTTP/1.119Host: {{Hostname}}20Authorization: Basic {{base64('admin:§password§')}}21User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.022Accept-Language: en-US,en;q=0.923Connection: close2425matchers-condition: and26matchers:27- type: status28status:29- 2003031- type: word32words:33- "Unique string"34part: body
Note:- Do not add ‘Connection: Close’ header when using the connection pooling template.
Simplified Workflow Syntax
We use tengo as a scripting engine for nuclei workflows which provided a very powerful and highly customizable engine for users to automate all their needs. However creating a workflows using tengo scripting syntax was something we always wanted to update for better user experience and to align with simple YAML format just like templates.
Workflows have been reworked to adopt simpler YAML based syntax which make creating complex workflows a breeze. Older workflows are still supported and will run flawlessly.
An example template which runs exploits if Spring Web Framework is detected using the new workflow syntax is provided below.
yaml
1workflows:2- template: security-misconfiguration/springboot-detect.yaml3subtemplates:4- template: cves/CVE-2018-1271.yaml5- template: cves/CVE-2018-1271.yaml6- template: cves/CVE-2020-5410.yaml
Matcher names can also be checked and multiple conditions can be executed. Chained templates are also possible by specifying under the template block.
yaml
1workflows:2- template: technologies/tech-detect.yaml3matchers:4- name: lotus-domino5subtemplates:6- template: technologies/lotus-domino-version.yaml7subtemplates:8- template: cves/CVE-2005-2428.yaml
Burp Collaborator Support
We’ve also added support for Burp Collaborator based polling for Out-Of-Band and blind security testing. This allows you to create templates that report interactions based on DNS or HTTP events.
yaml
1id: collab-automation2info:3name: Collab automation with nuclei4author: pdteam5severity: info67requests:8- raw:9- |10POST /api/v1/proxy HTTP/1.111Host: {{Hostname}}12Connection: close13Content-Length: 54914User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.3615Content-Type: application/json1617{'url':'http://<collab-id>.burpcollaborator.net/'}1819matchers:20- type: dsl21dsl:22- "waitfor(6) && collab('')"
Example of running template with collaborator:-
sh
1echo https://vul-target.com | nuclei -t collab-automation.yaml -burp-collaborator-biid xxxxxxx
By default nuclei polls every 5 seconds and keeps track of last 150 collaborator events. Provide it with a Burp Suite Collaborator BIID and you’re good to go!
Miscellaneous
Project Support
We’ve added Project File support which can be used to cache previous requests to targets as well as use the stored request later for re-verification purposes.
When project flag is used it will store the current scan requests in a temporary cache on Disk. These requests can be used later by the templates making the request to same paths. With the project-path path flag, the requests can also be stored to a custom directory.
Basic stats support
We’ve replaced the progress bar with a simpler stats line which is printed every 5 seconds. This was done to simplify the progress bar implementation causing issues on several platforms.
What’s Next?
In the next release, Network Protocol Requests like raw TCP, UDP, etc and Local Directory / Files will be supported.
The complete change-log of this release is available here.
Future of the project
In future, we’ll be adding the following new features to the project. Follow us to keep in touch with the progress.
- A new documentation site for easy access to templating guide and docs.
- Notification module to send alerts on identified bugs.
- UI / Web Form to create a template with just a few clicks.
- Test Server to validate nuclei templates at runtime.
Questions / Feedback
If you’re already a user of nuclei and would like to suggest some feature or share some ideas, feel free to reach out. You can contact/tweet us on twitter @pdnuclei/ @pdiscoveryio/ contact@projectdiscovery.io. We’d love to hear from you.
You can follow the Nuclei and Nuclei templates project on Github. Contributions of new templates as well as ideas are very welcome!