The power of custom Nuclei templates

by Prapattimynk, Wednesday, 26 July 2023 (10 months ago)
The power of custom Nuclei templates


With the increasing digital assets and risks of potential security threats, organizations, security teams, individual researchers and stakeholders need to adapt automation for fast scanning capabilities. Nuclei is an open-source vulnerability scanner that automates vulnerability scanning and allows integration of the tool in existing automation, reconnaissance and CI/CD pipelines.

Nuclei utilizes YAML-based templates that serve as the core of the nuclei engine and detect vulnerabilities based on the patterns and instructions provided in the template file. In addition, one can create custom templates to automate their vulnerability scanning process, retesting one vulnerability pattern across various assets, performing regression testing, automated reporting and whatnot.

In this article, we are going to explore the power of nuclei custom templates and how it is going to be beneficial for the users.

What are Nuclei Templates?

As mentioned earlier, the Nuclei templates serve as the fundamental building blocks for the nuclei scanner, which forms the backbone of the actual scanning engine. These templates are stored and organized within a repository, serving as a centralized hub for various templates. In a nutshell, the nuclei templates contain different matches, rules and conditions to detect potential vulnerabilities. Below is an example of a basic structure of a nuclei template:

id: git-config

info:
  name: Git Config File
  author: Ice3man
  severity: medium
  description: Searches for the pattern /.git/config on passed URLs.
  
http:
  - method: GET
    path:
      - "{{BaseURL}}/.git/config"
    matchers:
      - type: word
        words:
          - "(core)"

ProjectDiscovery provides a repository of nuclei templates created by their team and contributed by the community. However, one can easily create custom templates following the template creation guide provided by ProjectDiscovery to automate their use cases. The manual for Nuclei Template can be found here: https://nuclei.projectdiscovery.io/templating-guide/

The Artistry of Custom Templates

While the pre-built repository of Nuclei templates offers a formidable arsenal of security checks, custom templates emerge as the pièce de résistance, empowering security practitioners to craft tailored security checks. So let’s discuss and dive deep to know why you should build and use custom nuclei templates to power up your testing.

Why Should You Be Using Custom Templates?

Targeted scanning

Nuclei custom templates are helpful for targeted scanning for a specific technology or vulnerability not already covered in the existing template library. For example, running all the nuclei templates is not very useful if a target organization uses an “nginx” server to power various applications.

Hence, one can create a simple nuclei workflow template to scan for issues specific to “nginx” only. Below is an example of creating a custom workflow template that will run only “nginx” specific checks once a server is detected as “nginx”.

id: nginx-workflow

info:
  name: Nginx workflow
  author: harsh
  description: A simple workflow that runs all Nginx related nuclei templates on a given target.

workflows:
  - template: http/technologies/nginx/nginx-detect.yaml
    subtemplates:
      - tags: nginx

This becomes handy to automate the scanning even for the internal teams who already know their target technologies. As a result, it saves a lot of time and prioritizes identifying vulnerabilities. Similarly, creating custom templates to perform checks for specific vulnerabilities is possible.

Custom reporting

Nuclei custom templates can be used to perform customized reporting per the environment’s requirement. For example, a security researcher may want to automate the reporting to a bug bounty platform wherein an internal security team may look to report a vulnerability in a tracking system such as Jira. Hence, with the help of a custom reporting template, a user can prioritize their workflow as per the requirements.

For example, to create tickets on GitHub, create a config file with the following content and replace the appropriate values:

# GitHub contains configuration options for GitHub issue tracker

github: 
  username: "$user"
  owner: "$user"
  token: "$token"
  project-name: "testing-project"
  issue-label: "Nuclei"

Adapting to Evolving Threats

The primary use case of using custom templates is adapting to evolving threats. One can create a template to test for a specific CVE, 0-Day or a novel attack vector for testing it across various targets. For example, an organization wants to ensure they are secure against a particular CVE, and its vulnerability research team can create a working exploit for the specific CVE. However, scanning all the hosts could be a challenge. Hence, they can make a nuclei template for the exploit and run it across all the known hosts to check what vulnerable hosts are. This could help organizations stay ahead of the threat actors, detect issues in real-time quickly and remediate them on priority.

A typical example of a CVE (CVE-2023-3231) template looks like the following:

id: CVE-2023-32315

info:
  name: Administration Console Authentication Bypass in Openfire Console
  author: vsh00t
  severity: high
  description: |
    
  remediation: |
    
  reference:
    - https://github.com/advisories/GHSA-gw42-f939-fhvm
    - https://nvd.nist.gov/vuln/detail/CVE-2023-32315
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2023-32315
    cwe-id: CWE-22
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"openfire"
  tags: cve,cve2023,auth-bypass,openfire,console

http:
  - raw:
      - |+
        GET /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}

    unsafe: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "apache"
          - "java"
          - "openfire"
          - "jivesoftware"
        condition: and

      - type: status
        status:
          - 200

Building PoCs for vulnerabilities

Similarly to creating custom templates for the CVEs and novel attack vectors, it is possible to use nuclei templates to develop Proof of Concept (PoC) demonstrations that the triage team could use (if you are doing bug bounty) or by the developers & internal security teams (if you are reporting issues internally) to ease the overall reproduction efforts and reduce involved steps.

For example, suppose you have found a race condition vulnerability in your target system. In that case, you can create a custom nuclei template to demonstrate the race condition vulnerability with minimal reproduction efforts required. A template for race condition issues could look something like the following:

id: race-condition-testing

info:
  name: Race Condition testing
  author: pdteam
  severity: info

http:
  - raw:
      - |
        POST /coupons HTTP/1.1
        Host: {{Hostname}}
        Pragma: no-cache
        Cache-Control: no-cache, no-transform
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
        Cookie: user_session=42332423342987567896

        promo_code=20OFF        

    race: true
    race_count: 10

    matchers:
      - type: status
        part: header
        status:
          - 200

Retesting vulnerabilities

When a vulnerability is found in one system, the same vulnerability could exist in other environments with the same code base or technology. Automating vulnerability detection using a custom nuclei template is feasible in such cases.

The custom template should include rules and conditions that target the specific vulnerability which was already identified. By defining appropriate HTTP requests, responses to look for, and patterns to match against, you can effectively identify the presence of the vulnerability.

For example, if cross-site scripting was identified in one WordPress system, a custom template like the following can be created to re-test it across different WordPress instances.

id: wp-socialfit-xss

info:
  name: WordPress Plugin SocialFit - 'msg' Cross-Site Scripting
  author: daffainfo
  severity: medium
  description: |
    SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
  reference: |
    - https://www.exploit-db.com/exploits/37481
  tags: wordpress,xss,wp-plugin

requests:
  - method: GET
    path:
      - '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%281%29%3C/script%3E'
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ''
      - type: word
        part: header
        words:
          - "text/html"
      - type: status
        status:
          - 200

Regression testing

The most important task one can perform is regression testing with the help of custom templates. The diagram below by ProjectDiscovery explains how nuclei custom templates can be used to perform regression testing.

For example, when a bug bounty hunter or a security researcher submits a vulnerability with a nuclei template or the internal team can create a custom template using the vulnerability report, the organization can add it to their regression testing repository.

Whenever a new build occurs, the security assessment includes running the regression test for identified vulnerabilities using the custom template. If the vulnerability is reproducible & detected, the developers can make the required changes. However, if the vulnerability is no longer seen, the code can be ready to ship in production.

Summary

We have learned how custom templates can be super helpful in multiple day-to-day cases. By leveraging the power of custom Nuclei templates, organizations and individuals can effectively enhance their security testing capabilities, optimize their workflows, and address-specific security needs. These templates provide a flexible and adaptable framework for proactive vulnerability detection and mitigation, ultimately bolstering the organization’s security posture. If you are interested in learning to build custom templates yourself, you can follow this detailed guide: https://nuclei.projectdiscovery.io/templating-guide/

Want to learn more about the powerful things cooking in ProjectDiscovery’s kitchen? Make sure to subscribe to the newsletter.

Author: Harsh Bothra – @harshbothra_



Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.