Skip to content

Latest commit

 

History

History
executable file
·
4204 lines (2183 loc) · 58.4 KB

SYNTAX-REFERENCE.md

File metadata and controls

executable file
·
4204 lines (2183 loc) · 58.4 KB

Template

Template is a YAML input file which defines all the requests and other metadata for a template.


id string

ID is the unique id for the template.

Good IDs

A good ID uniquely identifies what the requests in the template are doing. Let's say you have a template that identifies a git-config file on the webservers, a good name would be git-config-exposure. Another example name is azure-apps-nxdomain-takeover.

Examples:

# ID Example
id: CVE-2021-19520

info model.Info

Info contains metadata information about the template.

Examples:

info:
    name: Argument Injection in Ruby Dragonfly
    author: 0xspara
    tags: cve,cve2021,rce,ruby
    reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
    severity: high

requests []http.Request

Requests contains the http request to make in the template.

Examples:

requests:
    matchers:
        - type: word
          words:
            - '[core]'
        - type: dsl
          condition: and
          dsl:
            - '!contains(tolower(body), ''<html'')'
            - '!contains(tolower(body), ''<body'')'
        - type: status
          status:
            - 200
    matchers-condition: and
    templateid: ""
    excludematchers: null
    path:
        - '{{BaseURL}}/.git/config'
    method: GET

dns []dns.Request

DNS contains the dns request to make in the template

Examples:

dns:
    extractors:
        - type: regex
          regex:
            - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
            - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
          dsl: []
    templateid: ""
    excludematchers: null
    name: '{{FQDN}}'
    type: CNAME
    class: inet
    retries: 2
    recursion: false

file []file.Request

File contains the file request to make in the template

Examples:

file:
    extractors:
        - type: regex
          regex:
            - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
          dsl: []
    templateid: ""
    excludematchers: null
    extensions:
        - all
    archive: false
    mimetype: false

network []network.Request

Network contains the network request to make in the template

Examples:

network:
    host:
        - '{{Hostname}}'
        - '{{Hostname}}:2181'
    inputs:
        - data: "envi\r\nquit\r\n"
    read-size: 2048
    matchers:
        - type: word
          words:
            - zookeeper.version
    templateid: ""
    excludematchers: null

headless []headless.Request

Headless contains the headless request to make in the template.


ssl []ssl.Request

SSL contains the SSL request to make in the template.


websocket []websocket.Request

Websocket contains the Websocket request to make in the template.


whois []whois.Request

WHOIS contains the WHOIS request to make in the template.


Workflows is a list of workflows to execute for a template.


self-contained bool

Self Contained marks Requests for the template as self-contained


stop-at-first-match bool

Stop execution once first match is found


Signature is the request signature method

Valid values:

  • AWS

variables variables.Variable

Variables contains any variables for the current request.


model.Info

Info contains metadata information about a template

Appears in:

name: Argument Injection in Ruby Dragonfly
author: 0xspara
tags: cve,cve2021,rce,ruby
reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
severity: high

name string

Name should be good short summary that identifies what the template does.

Examples:

name: bower.json file disclosure
name: Nagios Default Credentials Check

Author of the template.

Multiple values can also be specified separated by commas.

Examples:

author: <username>

Any tags for the template.

Multiple values can also be specified separated by commas.

Examples:

# Example tags
tags: cve,cve2019,grafana,auth-bypass,dos

description string

Description of the template.

You can go in-depth here on what the template actually does.

Examples:

description: Bower is a package manager which stores package information in the bower.json file
description: Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations

References for the template.

This should contain links relevant to the template.

Examples:

reference:
    - https://github.com/strapi/strapi
    - https://github.com/getgrav/grav

severity severity.Holder

Severity of the template.


metadata map[string]interface{}

Metadata of the template.

Examples:

metadata:
    customField1: customValue1

classification model.Classification

Classification contains classification information about the template.


remediation string

Remediation steps for the template.

You can go in-depth here on how to mitigate the problem found by this template.

Examples:

remediation: Change the default administrative username and password of Apache ActiveMQ by editing the file jetty-realm.properties

stringslice.StringSlice

StringSlice represents a single (in-lined) or multiple string value(s). The unmarshaller does not automatically convert in-lined strings to []string, hence the interface{} type is required.

Appears in:

<username>
# Example tags
cve,cve2019,grafana,auth-bypass,dos
- https://github.com/strapi/strapi
- https://github.com/getgrav/grav
CVE-2020-14420
CWE-22

severity.Holder

Holder holds a Severity type. Required for un/marshalling purposes

Appears in:


Severity

Enum Values:

  • undefined

  • info

  • low

  • medium

  • high

  • critical

  • unknown


model.Classification

Appears in:


CVE ID for the template

Examples:

cve-id: CVE-2020-14420

CWE ID for the template.

Examples:

cwe-id: CWE-22

cvss-metrics string

CVSS Metrics for the template.

Examples:

cvss-metrics: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

cvss-score float64

CVSS Score for the template.

Examples:

cvss-score: "9.8"

http.Request

Request contains a http request to be made from a template

Appears in:

matchers:
    - type: word
      words:
        - '[core]'
    - type: dsl
      condition: and
      dsl:
        - '!contains(tolower(body), ''<html'')'
        - '!contains(tolower(body), ''<body'')'
    - type: status
      status:
        - 200
matchers-condition: and
templateid: ""
excludematchers: null
path:
    - '{{BaseURL}}/.git/config'
method: GET

Part Definitions:

  • template-id - ID of the template executed
  • template-info - Info Block of the template executed
  • template-path - Path of the template executed
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon
  • type - Type is the type of request made
  • request - HTTP request made from the client
  • response - HTTP response received from server
  • status_code - Status Code received from the Server
  • body - HTTP response body received from server (default)
  • content_length - HTTP Response content length
  • header,all_headers - HTTP response headers
  • duration - HTTP request time duration
  • all - HTTP response body + headers
  • cookies_from_response - HTTP response cookies in name:value format
  • headers_from_response - HTTP response headers in name:value format

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


path []string

Path contains the path/s for the HTTP requests. It supports variables as placeholders.

Examples:

# Some example path values
path:
    - '{{BaseURL}}'
    - '{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions'

raw []string

Raw contains HTTP Requests in Raw format.

Examples:

# Some example raw requests
raw:
    - |-
      GET /etc/passwd HTTP/1.1
      Host:
      Content-Length: 4
    - |-
      POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
      Content-Length: 1
      Connection: close

      echo
      echo
      cat /etc/passwd 2>&1

id string

ID is the optional id of the request


name string

Name is the optional name of the request.

If a name is specified, all the named request in a template can be matched upon in a combined manner allowing multi-request based matchers.


Attack is the type of payload combinations to perform.

batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

Valid values:

  • batteringram

  • pitchfork

  • clusterbomb


Method is the HTTP Request Method.


body string

Body is an optional parameter which contains HTTP Request body.

Examples:

# Same Body for a Login POST request
body: username=test&password=test

payloads map[string]interface{}

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.


headers map[string]string

Headers contains HTTP Headers to send with the request.

Examples:

headers:
    Any-Header: Any-Value
    Content-Length: "1"
    Content-Type: application/x-www-form-urlencoded

race_count int

RaceCount is the number of times to send a request in Race Condition Attack.

Examples:

# Send a request 5 times
race_count: 5

max-redirects int

MaxRedirects is the maximum number of redirects that should be followed.

Examples:

# Follow up to 5 redirects
max-redirects: 5

pipeline-concurrent-connections int

PipelineConcurrentConnections is number of connections to create during pipelining.

Examples:

# Create 40 concurrent connections
pipeline-concurrent-connections: 40

pipeline-requests-per-connection int

PipelineRequestsPerConnection is number of requests to send per connection when pipelining.

Examples:

# Send 100 requests per pipeline connection
pipeline-requests-per-connection: 100

threads int

Threads specifies number of threads to use sending requests. This enables Connection Pooling.

Connection: Close attribute must not be used in request while using threads flag, otherwise pooling will fail and engine will continue to close connections after requests.

Examples:

# Send requests using 10 concurrent threads
threads: 10

max-size int

MaxSize is the maximum size of http response body to read in bytes.

Examples:

# Read max 2048 bytes of the response
max-size: 2048

Signature is the request signature method

Valid values:

  • AWS

cookie-reuse bool

CookieReuse is an optional setting that enables cookie reuse for all requests defined in raw section.


read-all bool

Enables force reading of the entire raw unsafe request body ignoring any specified content length headers.


redirects bool

Redirects specifies whether redirects should be followed by the HTTP Client.

This can be used in conjunction with max-redirects to control the HTTP request redirects.


pipeline bool

Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining

All requests must be idempotent (GET/POST). This can be used for race conditions/billions requests.


unsafe bool

Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests.

This uses the rawhttp engine to achieve complete control over the request, with no normalization performed by the client.


race bool

Race determines if all the request have to be attempted at the same time (Race Condition)

The actual number of requests that will be sent is determined by the race_count field.


req-condition bool

ReqCondition automatically assigns numbers to requests and preserves their history.

This allows matching on them later for multi-request conditions.


stop-at-first-match bool

StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.


skip-variables-check bool

SkipVariablesCheck skips the check for unresolved variables in request


iterate-all bool

IterateAll iterates all the values extracted from internal extractors


digest-username string

DigestAuthUsername specifies the username for digest authentication


digest-password string

DigestAuthPassword specifies the password for digest authentication


matchers.Matcher

Matcher is used to match a part in the output from a protocol.

Appears in:


Type is the type of the matcher.


condition string

Condition is the optional condition between two matcher variables. By default, the condition is assumed to be OR.

Valid values:

  • and

  • or


part string

Part is the part of the request response to match data from.

Each protocol exposes a lot of different parts which are well documented in docs for each request type.

Examples:

part: body
part: raw

negative bool

Negative specifies if the match should be reversed It will only match if the condition is not true.


name string

Name of the matcher. Name should be lowercase and must not contain spaces or underscores (_).

Examples:

name: cookie-matcher

status []int

Status are the acceptable status codes for the response.

Examples:

status:
    - 200
    - 302

size []int

Size is the acceptable size for the response

Examples:

size:
    - 3029
    - 2042

words []string

Words contains word patterns required to be present in the response part.

Examples:

# Match for Outlook mail protection domain
words:
    - mail.protection.outlook.com
# Match for application/json in response headers
words:
    - application/json

regex []string

Regex contains Regular Expression patterns required to be present in the response part.

Examples:

# Match for Linkerd Service via Regex
regex:
    - (?mi)^Via\\s*?:.*?linkerd.*$
# Match for Open Redirect via Location header
regex:
    - (?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)example\\.com.*$

binary []string

Binary are the binary patterns required to be present in the response part.

Examples:

# Match for Springboot Heapdump Actuator "JAVA PROFILE", "HPROF", "Gunzip magic byte"
binary:
    - 4a4156412050524f46494c45
    - 4850524f46
    - 1f8b080000000000
# Match for 7zip files
binary:
    - 377ABCAF271C

dsl []string

DSL are the dsl expressions that will be evaluated as part of nuclei matching rules. A list of these helper functions are available here.

Examples:

# DSL Matcher for package.json file
dsl:
    - contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200
# DSL Matcher for missing strict transport security header
dsl:
    - '!contains(tolower(all_headers), ''''strict-transport-security'''')'

encoding string

Encoding specifies the encoding for the words field if any.

Valid values:

  • hex

case-insensitive bool

CaseInsensitive enables case-insensitive matches. Default is false.

Valid values:

  • false

  • true


match-all bool

MatchAll enables matching for all matcher values. Default is false.

Valid values:

  • false

  • true


MatcherTypeHolder

MatcherTypeHolder is used to hold internal type of the matcher

Appears in:


MatcherType

Enum Values:

  • word

  • regex

  • binary

  • status

  • size

  • dsl


extractors.Extractor

Extractor is used to extract part of response using a regex.

Appears in:


name string

Name of the extractor. Name should be lowercase and must not contain spaces or underscores (_).

Examples:

name: cookie-extractor

Type is the type of the extractor.


regex []string

Regex contains the regular expression patterns to extract from a part.

Go regex engine does not support lookaheads or lookbehinds, so as a result they are also not supported in nuclei.

Examples:

# Braintree Access Token Regex
regex:
    - access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}
# Wordpress Author Extraction regex
regex:
    - Author:(?:[A-Za-z0-9 -\_="]+)?<span(?:[A-Za-z0-9 -\_="]+)?>([A-Za-z0-9]+)<\/span>

group int

Group specifies a numbered group to extract from the regex.

Examples:

# Example Regex Group
group: 1

kval []string

description: | kval contains the key-value pairs present in the HTTP response header. kval extractor can be used to extract HTTP response header and cookie key-value pairs. kval extractor inputs are case-insensitive, and does not support dash (-) in input which can replaced with underscores (_) For example, Content-Type should be replaced with content_type

A list of supported parts is available in docs for request types. examples:

  • name: Extract Server Header From HTTP Response value: > []string{"server"}
  • name: Extracting value of PHPSESSID Cookie value: > []string{"phpsessid"}
  • name: Extracting value of Content-Type Cookie value: > []string{"content_type"}

json []string

JSON allows using jq-style syntax to extract items from json response

Examples:

json:
    - .[] | .id
json:
    - .batters | .batter | .[] | .id

xpath []string

XPath allows using xpath expressions to extract items from html response

Examples:

xpath:
    - /html/body/div/p[2]/a

attribute string

Attribute is an optional attribute to extract from response XPath.

Examples:

attribute: href

part string

Part is the part of the request response to extract data from.

Each protocol exposes a lot of different parts which are well documented in docs for each request type.

Examples:

part: body
part: raw

internal bool

Internal, when set to true will allow using the value extracted in the next request for some protocols (like HTTP).


case-insensitive bool

CaseInsensitive enables case-insensitive extractions. Default is false.

Valid values:

  • false

  • true


ExtractorTypeHolder

ExtractorTypeHolder is used to hold internal type of the extractor

Appears in:


ExtractorType

Enum Values:

  • regex

  • kval

  • xpath

  • json

  • dsl


generators.AttackTypeHolder

AttackTypeHolder is used to hold internal type of the protocol

Appears in:


AttackType

Enum Values:

  • batteringram

  • pitchfork

  • clusterbomb


HTTPMethodTypeHolder

HTTPMethodTypeHolder is used to hold internal type of the HTTP Method

Appears in:


HTTPMethodType

Enum Values:

  • GET

  • GET

  • POST

  • PUT

  • DELETE

  • CONNECT

  • OPTIONS

  • TRACE

  • PATCH

  • PURGE

  • Debug


SignatureTypeHolder

SignatureTypeHolder is used to hold internal type of the signature

Appears in:

dns.Request

Request contains a DNS protocol request to be made from a template

Appears in:

extractors:
    - type: regex
      regex:
        - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
        - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
      dsl: []
templateid: ""
excludematchers: null
name: '{{FQDN}}'
type: CNAME
class: inet
retries: 2
recursion: false

Part Definitions:

  • template-id - ID of the template executed
  • template-info - Info Block of the template executed
  • template-path - Path of the template executed
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon
  • request - Request contains the DNS request in text format
  • type - Type is the type of request made
  • rcode - Rcode field returned for the DNS request
  • question - Question contains the DNS question field
  • extra - Extra contains the DNS response extra field
  • answer - Answer contains the DNS response answer field
  • ns - NS contains the DNS response NS field
  • raw,body,all - Raw contains the raw DNS response (default)
  • trace - Trace contains trace data for DNS request if enabled

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


id string

ID is the optional id of the request


name string

Name is the Hostname to make DNS request for.

Generally, it is set to {{FQDN}} which is the domain we get from input.

Examples:

name: '{{FQDN}}'

RequestType is the type of DNS request to make.


class string

Class is the class of the DNS request.

Usually it's enough to just leave it as INET.

Valid values:

  • inet

  • csnet

  • chaos

  • hesiod

  • none

  • any


retries int

Retries is the number of retries for the DNS request

Examples:

# Use a retry of 3 to 5 generally
retries: 5

trace bool

Trace performs a trace operation for the target.


trace-max-recursion int

TraceMaxRecursion is the number of max recursion allowed for trace operations

Examples:

# Use a retry of 100 to 150 generally
trace-max-recursion: 100

recursion dns.bool

Recursion determines if resolver should recurse all records to get fresh results.


resolvers []string

Resolvers to use for the dns requests


DNSRequestTypeHolder

DNSRequestTypeHolder is used to hold internal type of the DNS type

Appears in:


DNSRequestType

Enum Values:

  • A

  • NS

  • DS

  • CNAME

  • SOA

  • PTR

  • MX

  • TXT

  • AAAA

  • CAA


file.Request

Request contains a File matching mechanism for local disk operations.

Appears in:

extractors:
    - type: regex
      regex:
        - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
      dsl: []
templateid: ""
excludematchers: null
extensions:
    - all
archive: false
mimetype: false

Part Definitions:

  • template-id - ID of the template executed
  • template-info - Info Block of the template executed
  • template-path - Path of the template executed
  • matched - Matched is the input which was matched upon
  • path - Path is the path of file on local filesystem
  • type - Type is the type of request made
  • raw,body,all,data - Raw contains the raw file contents

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


extensions []string

Extensions is the list of extensions or mime types to perform matching on.

Examples:

extensions:
    - .txt
    - .go
    - .json

denylist []string

DenyList is the list of file, directories, mime types or extensions to deny during matching.

By default, it contains some non-interesting extensions that are hardcoded in nuclei.

Examples:

denylist:
    - .avi
    - .mov
    - .mp3

id string

ID is the optional id of the request


max-size string

MaxSize is the maximum size of the file to run request on.

By default, nuclei will process 1 GB of content and not go more than that. It can be set to much lower or higher depending on use. If set to "no" then all content will be processed

Examples:

max-size: 5Mb

no-recursive bool

NoRecursive specifies whether to not do recursive checks if folders are provided.


network.Request

Request contains a Network protocol request to be made from a template

Appears in:

host:
    - '{{Hostname}}'
    - '{{Hostname}}:2181'
inputs:
    - data: "envi\r\nquit\r\n"
read-size: 2048
matchers:
    - type: word
      words:
        - zookeeper.version
templateid: ""
excludematchers: null

Part Definitions:

  • template-id - ID of the template executed
  • template-info - Info Block of the template executed
  • template-path - Path of the template executed
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon
  • type - Type is the type of request made
  • request - Network request made from the client
  • body,all,data - Network response received from server (default)
  • raw - Full Network protocol data

id string

ID is the optional id of the request


host []string

Host to send network requests to.

Usually it's set to {{Hostname}}. If you want to enable TLS for TCP Connection, you can use tls://{{Hostname}}.

Examples:

host:
    - '{{Hostname}}'

Attack is the type of payload combinations to perform.

Batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.


payloads map[string]interface{}

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.


inputs []network.Input

Inputs contains inputs for the network socket


read-size int

ReadSize is the size of response to read at the end

Default value for read-size is 1024.

Examples:

read-size: 2048

read-all bool

ReadAll determines if the data stream should be read till the end regardless of the size

Default value for read-all is false.

Examples:

read-all: false

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


network.Input

Appears in:


data string

Data is the data to send as the input.

It supports DSL Helper Functions as well as normal expressions.

Examples:

data: TEST
data: hex_decode('50494e47')

Type is the type of input specified in data field.

Default value is text, but hex can be used for hex formatted data.

Valid values:

  • hex

  • text


read int

Read is the number of bytes to read from socket.

This can be used for protocols which expect an immediate response. You can read and write responses one after another and eventually perform matching on every data captured with name attribute.

The network docs highlight more on how to do this.

Examples:

read: 1024

name string

Name is the optional name of the data read to provide matching on.

Examples:

name: prefix

NetworkInputTypeHolder

NetworkInputTypeHolder is used to hold internal type of the Network type

Appears in:


NetworkInputType

Enum Values:

  • hex

  • text


headless.Request

Request contains a Headless protocol request to be made from a template

Appears in:

Part Definitions:

  • template-id - ID of the template executed
  • template-info - Info Block of the template executed
  • template-path - Path of the template executed
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon
  • type - Type is the type of request made
  • req - Headless request made from the client
  • resp,body,data - Headless response received from client (default)

id string

ID is the optional id of the request


Attack is the type of payload combinations to perform.

Batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.


payloads map[string]interface{}

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.


steps []engine.Action

Steps is the list of actions to run for headless request


descriptions: | User-Agent is the type of user-agent to use for the request.


custom_user_agent string

description: | If UserAgent is set to custom, customUserAgent is the custom user-agent to use for the request.


matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


engine.Action

Action is an action taken by the browser to reach a navigation

Each step that the browser executes is an action. Most navigations usually start from the ActionLoadURL event, and further navigations are discovered on the found page. We also keep track and only scrape new navigation from pages we haven't crawled yet.

Appears in:


args map[string]string

Args contain arguments for the headless action. Per action arguments are described in detail here.


name string

Name is the name assigned to the headless action.

This can be used to execute code, for instance in browser DOM using script action, and get the result in a variable which can be matched upon by nuclei. An Example template here.


description string

Description is the optional description of the headless action


Action is the type of the action to perform.


ActionTypeHolder

ActionTypeHolder is used to hold internal type of the action

Appears in:


ActionType

Enum Values:

  • navigate

  • script

  • click

  • rightclick

  • text

  • screenshot

  • time

  • select

  • files

  • waitload

  • getresource

  • extract

  • setmethod

  • addheader

  • setheader

  • deleteheader

  • setbody

  • waitevent

  • keyboard

  • debug

  • sleep

  • waitvisible


userAgent.UserAgentHolder

UserAgentHolder holds a UserAgent type. Required for un/marshalling purposes

Appears in:


UserAgent

Enum Values:

  • random

  • off

  • default

  • custom


ssl.Request

Request is a request for the SSL protocol

Appears in:

Part Definitions:

  • type - Type is the type of request made
  • response - JSON SSL protocol handshake details
  • not_after - Timestamp after which the remote cert expires
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


address string

Address contains address for the request


min_version string

Minimum tls version - auto if not specified.

Valid values:

  • sslv3

  • tls10

  • tls11

  • tls12

  • tls13


max_version string

Max tls version - auto if not specified.

Valid values:

  • sslv3

  • tls10

  • tls11

  • tls12

  • tls13


cipher_suites []string

Client Cipher Suites - auto if not specified.


websocket.Request

Request is a request for the Websocket protocol

Appears in:

Part Definitions:

  • type - Type is the type of request made
  • success - Success specifies whether websocket connection was successful
  • request - Websocket request made to the server
  • response - Websocket response received from the server
  • host - Host is the input to the template
  • matched - Matched is the input which was matched upon

matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


address string

Address contains address for the request


inputs []websocket.Input

Inputs contains inputs for the websocket protocol


headers map[string]string

Headers contains headers for the request.


Attack is the type of payload combinations to perform.

Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.


payloads map[string]interface{}

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.


websocket.Input

Appears in:


data string

Data is the data to send as the input.

It supports DSL Helper Functions as well as normal expressions.

Examples:

data: TEST
data: hex_decode('50494e47')

name string

Name is the optional name of the data read to provide matching on.

Examples:

name: prefix

whois.Request

Request is a request for the WHOIS protocol

Appears in:


matchers []matchers.Matcher

Matchers contains the detection mechanism for the request to identify whether the request was successful by doing pattern matching on request/responses.

Multiple matchers can be combined with matcher-condition flag which accepts either and or or as argument.


extractors []extractors.Extractor

Extractors contains the extraction mechanism for the request to identify and extract parts of the response.


matchers-condition string

MatchersCondition is the condition between the matchers. Default is OR.

Valid values:

  • and

  • or


query string

Query contains query for the request


server string

description: | Optional WHOIS server URL.

 If present, specifies the WHOIS server to execute the Request on.

Otherwise, nil enables bootstrapping


workflows.WorkflowTemplate

Appears in:


template string

Template is a single template or directory to execute as part of workflow.

Examples:

# A single template
template: dns/worksites-detection.yaml
# A template directory
template: misconfigurations/aem

Tags to run templates based on.


matchers []workflows.Matcher

Matchers perform name based matching to run subtemplates for a workflow.


Subtemplates are run if the template field Template matches.


workflows.Matcher

Appears in:


name string

Name is the name of the item to match.


Subtemplates are run if the name of matcher matches.


http.SignatureTypeHolder

SignatureTypeHolder is used to hold internal type of the signature

Appears in:

variables.Variable

Variable is a key-value pair of strings that can be used throughout template.

Appears in: