Authors
We search for secret leaks in a variety of places including GitHub, JS files, HTTP replies, source code, and other places. Once we've identified these keys, the next question is: what service does this key belong to, and is it valid? Answers to those questions determines the severity of the revealed token.
Found a hardcoded client ID and client secret in some frontend. Now what?
— jub0bs (@jub0bs) October 3, 2021
Keyhacks is a great project that provides valid examples of API requests for a variety of services, making it simple to confirm token authenticity. However, the difficulty arises when the token is unknown and we don't know which services it belongs to 🤔🧐
Token-Spray to automate token validation
We've been exploring what the community is doing with custom templates and various use cases that can be automated using nuclei. A great example is zzeitlin, who created this awesome pull request on GitHub that includes 63 self-contained templates to automate the validity of a given token or list of tokens across multiple APIs/services.
What is a self-contained template?
A self-contained nuclei template is a stand-alone portable template that does not require any external information to run, such as target or input URLs. All required information can be hardcoded into the template itself.
yaml
1id: example-self-contained23info:4name: example-self-contained5author: pdteam6severity: info78self-contained: true9requests:10- raw:11- |12GET https://app.target.com/api/users HTTP/1.113Host: app.target.com14Authorization: XXXX1516matchers-condition: and17matchers:18- type: status19status:20- 2002122- type: word23words:24- "success"
How to run token-spray templates?
We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time.
yaml
1nuclei -t token-spray/ -var token=XXX_TOKEN_XXX2nuclei -t token-spray/ -var token=token_list.txt
token-spray is a great example of using self-contained templates. It can also be used as part of regression testing for known security issues in an organization since they are portable and can be defined once and integrated into CI/CI pipelines to flag if the issues resurface. This is just one of many use cases for self-contained templates.
If you are using nuclei templates in more creative ways and would like to share them with everyone, or if you have workflows in mind that you would like to implement in the form of template automation, please get in touch with us. You can also join our community discord server and follow pdnuclei for future updates.