BOOK THIS SPACE FOR AD
ARTICLE ADSo you found Project Discovery's Nuclei tool and now have the ability to run automated scans on a target of your choosing. You’re comfortable with how the tools works but you’re interested in unlocking the power to run custom built scans in the same manner.
Well it sounds like its time to write your first Nuclei template. I recommend choosing an easy use case to make troubleshooting easier as you create and run your template. Lets jump into it!
Like I said, its best to choose something easy here. You can test for pretty much anything. In this example I’m going to use the following use case:
Send a get request to a website and check if it contains a certain stringTo choose what string and website you want to search for pick any site at all and look for a string that is present on that site. Ex. search www.google.com for the string Google.
When I installed Nucelli a folder called nuclei-templates was created in my user directory. You’ll want to create a file with the extension .YAMLin this directory, test-template1 in my case, and open it up in any code or text editor, VSCode in my case.
Now you have a blank YAML template ready to be filled out
Each Nuclei template has 3 sections of which have some required parts.
ID Section:
Each template requires a unique ID which will be used in the output of your scan. Since I’m going to be looking for the string Was Here in my site so here’s what I’m going to set my id as.
#UNIQUE ID SECTIONid: contains-was-here
Information Section:
The information block is next. The info block contains information such as name, author, severity, description, reference, tags, and metadata.
Its important to note that name and author are required in the info block. Tags are primarily used for filtering. The rest of the information you can include is what it sounds like.
#INFORMATION SECTIONinfo:
name: Was Here on [site of your choice]
author: techno
severity: info
description: Searches for the term 'was here' and if present return true. This test is intended to be ran on the reference url below.
reference: [site of your choice]
tags: test, was-here
Here I name this template what I am searching for and where I will be searching and I put myself as the author. The rest of these sections are not required but I put them just as an example.
Protocol Section:
The protocol section begins with listing the protocol that you intend to use. In our case we will be using http but visit the Protocol documentation to see a list of all supported protocols.
Request
The HTTP request starts with a request block that specifies the start of the requests for the template
#Start of requests for the template
http:
Method
Next is the Method section. Our options for HTTP are GET, POST, PUT, DELETE. For our use case we want to fetch that data on a website so we will use GET.
#Start of requests for the template
http:
- method: GET
Path
Next is the path section. In the path we need to indicate where we want to run the scan. However we do not hard code this information because we want to be able to dynamically list the host we want to run the scan on. Nuclei provides us the dynamic variable{{BaseURL}} that will be replaced by the URL that we input when we run the scan. For a full list of variables visit the Nuclei documentation.
#Start of requests for the template
http:
- method: GET
path:
- "{{BaseURL}}"
Matchers
The next section we need are Matchers. The matchers are how Nuclei knows if it was successful or not. Its checks if the response contains what you are looking for.
Since we are testing to see if a word is present in the body we need to set a couple of parameters. first we need to set type: word and the part: body and I am looking for “Was Here” so I will include words: "Was Here".
#PROTOCOL SECTION#Start of requests for the template
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: body
words:
- "Was Here"
Make sure that your indentation, spacing, and capitalization is correct. Now put everything together and we get:
#UNIQUE ID SECTIONid: contains-was-here
#INFORMATION SECTION
info:
name: Was Here on [site of your choice]
author: techno
severity: info
description: Searches for the term 'was here' and if present return true. This test is intended to be ran on the reference url below.
reference: [site of your choice]
tags: test, was-here, adobe
#PROTOCOL SECTION
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: body
words:
- "Was Here"
Nuclei offers the functionality to test your template using the -validate tag so lets give it a shot.
$ nuclei -t {path-to-template.YAML} -validateIf you get the following result you are all good:
If you did not get that check the errors and continue to run that command until you have no errors.
Now that you have an error free template it’s time to run a Nuclei scan on your target (selected website) to see if you get any hits
nuclei -t {path-to-template.YAML} -u {target URL} -verbosethe -t tag is for specifiying a template and the -u tag is for specificing the host url (remember to check out nuclei -h for more info on tags). I am also using -verbose to get some extra info from my scan. The output of my scan is:
If you template is not being found make sure that your template was created in the nuclei-templates folder and that you are including the entire path to your template after that folder in your CLI (if for example you have your file in a sub-folder)
Although a very simple template hopefully you have hashed out some of the errors that come with the first time you do anything. Now you can build on top of this to create more valuable templates. Thanks!
Happy Hacking
Techno