6 min read
The Power of Nuclei Templates: A Universal Language of Vulnerabilities
Ever since joining ProjectDiscovery over nine months ago, I've been constantly surprised about many aspects of the state of the security industry today. Having lived through the open source revolution in software development and DevOps, I came to understand that a lot of what I learned and assumed from those revolutions aren't things to take for granted. Since joining PD's mission to Democratize Security, my conviction has only deepened that our community can revolutionize the security field. The future is community-driven security, encompassing everything from offensive security to DevSecOps and beyond.
To me, that all starts with something relatively simple, at least on the surface: the idea of a Nuclei template. This seemingly simple concept, representing the most critical details of a vulnerability as machine- and human-readable, is actually at the core of how security can become more democratized. I remember a conversation I had with Jobert from HackerOne in my early days. We talked about how the Nuclei template could become the universal language for communicating about vulnerabilities and misconfiguration – trumping even spoken and written languages (like English) for how we share information and make each other safer. At the time I agreed, but ever since I've seen an evolution that has me convinced this is a titanic shift in the way we all think about security. And it's based in YAML.
'Traditional' approach to vulnerability scanning
This year I had my first ever direct personal experience of the dichotomy of Black Hat and DEF CON being placed against one another in hacker summer camp. I knew of both events before, but had never experienced them first hand. And they both lived up to what I expected: Plenty of suits and meetings in Vegas suites for Black Hat and then – as someone described it – "security Burning Man" at DEF CON.
And even before experiencing this first hand, I've seen from conversations with community members, design partners, and CISOs the reality of what is now called "traditional vulnerability scanning": a few key players with proprietary algorithms and vulnerability definitions and "people in suits selling software to people in suits." The sheepish in the security world run these scanners, check a compliance box, and cross their fingers that they don't get attacked. And if they did…well, they had all the same tools that are "industry standard" so it can't be their fault, right?!
Contrast that with the eagle-eyed security engineer who knows that threats are ever evolving. They don't trust the results they get from these proprietary scanners. And even worse, the "alerts" from those scanners are about mismatched TLS versions or other things that are irrelevant to an attacker – but make an auditor feel more protected! These folks are really the heart of truly traditional approaches to cybersecurity – the spirit of DEF CON's past, where ethical hackers swap new ideas and techniques to help create a rising tide to lift everyone's boat. That's how security got started – by not ignoring exploitable vulnerabilities for the safety of a "clean" PDF report. It came from protecting against attackers first and auditors second – not the other way around.
And in today's much faster-paced environment, with shadow IT and nation-state level threat actors, what is needed to make these security engineers effective? It's a way to quickly and accurately communicate the pattern of vulnerabilities or misconfigurations without a lot of the fluff that would come in a PDF report delivered to the C-suite. What is needed is a universal language of vulnerabilities.
Universal Language of Vulnerabilities
And that's precisely where the concept of a Nuclei template fills a critical gap for teams and engineers looking to quickly and universally communicate "what is this vulnerability," "how do I detect if I'm vulnerable," and "how do I know when I've remediated it."
Nuclei templates contain all of this information in a simple package:
- Metadata about the severity of the vulnerability
- Links to relevant references to learn more
- A finite set of requests that can test for the presence of an exploitable vulnerability
- A set of matchers that verify if the vulnerability is remediated or not
Not only does this provide a simple way for humans to communicate about vulnerabilities – without unnecessary preambles or extraneous writing – but it also provides a way to quickly scale and apply that knowledge across a complex infrastructure. When a new exploitable vulnerability is discovered and a Nuclei template created, answering the question "are we vulnerable anywhere to this" becomes as easy as running that template against your known assets.
Imagine a CISO or CEO seeing a story on CNN about a massive vulnerability. They immediately call up their security team to ask about the fix and are met with 'We're waiting on the vendor to release an update. The timeline looks to be about three weeks.' How happy do you think the CEO or CISO is at that moment? What if the answer instead is: 'A template is up and running already to check our assets.' Feels better, doesn't it?
The transparency around the scanning logic and the ability for the community to provide instant feedback on severity, false positives, and other detection details results in a situation where "many eyes make all problems shallow." This is the greatest power of open source software, and where the advantage of a common, open language for discussing vulnerabilities becomes so valuable.
And for that very reason, Nuclei templates are becoming THE universal language for vulnerability discussions and detection. As recently as this month, CISA issued an advisory about [threat actors exploiting Ivanti EPMM vulnerabilities which included a Nuclei template to check your infrastructure for the vulnerability as well as a joint recommendation from CISA and NCSC to run that template against critical architecture.
Power of Community
And that's what makes an open standard for communicating vulnerabilities so powerful – the entire community can contribute. From government agencies tasked with countrywide cybersecurity responsibilities all the way to independent bug bounty hunters…the playing field is leveled when you have a universal way to communicate about these things.
We've seen that power time and again – with the extensive ProjectDiscovery community sometimes creating Nuclei templates _minutes_ after the announcement of a zero-day vulnerability:
- CVE-2020-36289 – a JIRA user enumeration without authentication was released and had a Nuclei template in the repository less than 30 minutes later
- CVE-2023-29489 – a cross-site scripting vulnerability in cPanel was released and there was a pull request opened against the Nuclei template repository 15 minutes later
- CVE-2023-2448 – a XSS pre-auth in Citrix Gateway, which had a pull request from a community member less than 10 minutes after the announcement. And this CVE resulted in over 1,500 reports to HackerOne of vulnerable internet-facing assets.
And for organizations who are working with vendors or internal teams on disclosures ahead of public announcements, the fact that Nuclei templates are an open format allows for quick and scalable ways to do day -1 testing of vulnerabilities in private. Or develop templates that focus on specific misconfigurations for their applications or environment…and run those templates right alongside the community ones.
In that way, the nuclei-template repository can also serve as a central database of vulnerabilities in countless interesting ways. For folks just getting started with security, it can be a simplistic way to understand what does exploiting a XSS vulnerability actually looks like in the real world. And for seasoned security professionals, the wealth of information about the patterns and types of vulnerabilities most often found by the community can provide valuable insights into what areas are best or worse covered when evaluating their attack surface.
Where we go from here
In the fast-paced world of cybersecurity, the ever-evolving threat landscape demands agility, innovation, and, most critically, collaboration. The ongoing development of Nuclei templates reflects a commitment to keeping pace with the myriad of emerging vulnerabilities and their associated complexities. However, it's the community contributions that truly elevate the power of Nuclei.
By crowdsourcing knowledge and expertise, the Nuclei community taps into a collective intelligence that no single organization could recreate. This decentralized approach ensures a more rapid response to new threats, allowing for immediate sharing and dissemination of mitigation steps. As cyber adversaries refine their techniques and exploit novel vulnerabilities, it's the synchronized dance of development and community input, fueled by the dynamic threat landscape, that keeps Nuclei templates perpetually relevant, robust, and invaluable to defenders worldwide.
Dive into the world of Nuclei templates and witness the transformative power of community-driven cybersecurity. Explore the Nuclei GitHub repository to start your journey, and consider contributing your expertise to fortify our collective defense against emerging threats. You should also give our new AI-powered template generator a try to work on converting narrative vulnerability reports into Nuclei templates using GPT. We can democratize security, together.