-

3 min read

Token Spray - Introduction to self-contained template

Token Spray - Introduction to self-contained template

We search for secret leaks in a variety of places including GitHub, JS files, HTTP replies, source code, and other places. Once we've identified these keys, the next question is: what service does this key belong to, and is it valid? Answers to those questions determines the severity of the revealed token.

Keyhacks is a great project that provides valid examples of API requests for a variety of services, making it simple to confirm token authenticity. However, the difficulty arises when the token is unknown and we don't know which services it belongs to 🤔🧐

Token-Spray to automate token validation

We've been exploring what the community is doing with custom templates and various use cases that can be automated using nuclei. A great example is zzeitlin, who created this awesome pull request on GitHub that includes 63 self-contained templates to automate the validity of a given token or list of tokens across multiple APIs/services.

What is a self-contained template?

A self-contained nuclei template is a stand-alone portable template that does not require any external information to run, such as target or input URLs. All required information can be hardcoded into the template itself.

yaml

1id: example-self-contained
2
3info:
4  name: example-self-contained
5  author: pdteam
6  severity: info
7
8self-contained: true
9requests:
10  - raw:
11      - |
12        GET https://app.target.com/api/users HTTP/1.1
13        Host: app.target.com
14        Authorization: XXXX
15
16    matchers-condition: and
17    matchers:
18      - type: status
19        status:
20          - 200
21
22      - type: word
23        words:
24          - "success"


How to run token-spray templates?

We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time.

yaml

1nuclei -t token-spray/ -var token=XXX_TOKEN_XXX
2nuclei -t token-spray/ -var token=token_list.txt

token-spray is a great example of using self-contained templates. It can also be used as part of regression testing for known security issues in an organization since they are portable and can be defined once and integrated into CI/CI pipelines to flag if the issues resurface. This is just one of many use cases for self-contained templates.

If you are using nuclei templates in more creative ways and would like to share them with everyone, or if you have workflows in mind that you would like to implement in the form of template automation, please get in touch with us. You can also join our community discord server and follow pdnuclei for future updates.