How to Write Your First Nuclei Template

I believe most of us who are from application security must have had a chance to make use of nuclei templates in their testing activities uh show of hands how many of you are aware or have used nuclei oh great number so as we have also heard from some top bug bounty hunters how they calibrate these templates right to find some exclusive bugs on some wide range of targets so our next speaker who is also an abstract researcher at project Discovery is going to expose you to with his knowledge how to write your first nuclei template put your hands together for the anishwaran

hello everyone uh uh good afternoon Ahmedabad uh good afternoon besides team so today we are going to say about uh how to write your first nuclear templates uh so a little bit introduction about my my side so I'm janeshwaran uh I'm working as a application security researcher and project discovery so I mainly work on nuclear templates contributions and creating new vulnerabilities and new templates and research and development so you can find me on Twitter so I go with the handle the honestyk so previously uh I worked as a penetration tester so uh I started using nuclear back in 2020 uh I saw a post from in medium stating like a attack service management and then I got inspired from the work

that they do and uh the way it automates the books and finds it at a larger scale and got inspired by the team so today's agenda it's like introduction to the nuclear template and the power of the nuclear templates and writing web-based templates and a live demo so let's start with the introduction uh so how many of you have used in nuclear templates in your day-to-day life it seems like many everyone all the bug body Hunters who relies on automation uh even the top one two days you know uh penetration tests uh the people who do devsukops so they rely on nuclear templates so nuclear is basically uh engine and nuclear template is uh the template that we Supply as an input

and it matches some validation and then we produces some results so it is written in a yaml based file format and it has an extension of dot yaml so yaml is nothing but it is like uh you don't need a proper programming language to write it in like you just need a Syntax for it and then you will be able to uh write a signature for a new vulnerability or an existing vulnerability or open test so this is how nuclear template structure looks like so here you can see uh there is an ID uh by default or there are certain fields which is needed for a particular template if you are writing a template so the basic fields are ID and the info

so info contains the name author and the severity so descriptions and remediations are like normally or considered to be an optional you can add it if you are like going to generate report or you use some markdown or you're going to integrate it with the GitHub integration or jira integration basically so the main here it will be focused mostly on the web-based templates that I will be showcasing and uh yeah so the left side it will be like a yaml template and the right side it contains the scan so when you supply an input as a scan it should have some URL schema so we basically URL schema contains like uh HTTP and https so we have a list of URLs in a file and

you wanted to do a lot of skill scanning for a single vulnerability that you wrote and you you are go very bad at coding and uh you know the methodology and the end point and the response status code and everything and boom magic like you can write a nuclear template for it so basically uh what I've done is I've set up the docker instance for this vulnerability so this is my Docker so it is uh currently having a diversity server So currently I'm going to uh showcase that I know this particular end point and uh yep so I know this end point and let let me go to Bob sorry yep so basically uh I know this Docker

instance is vulnerable for this particular cve and I wanted to write a nuclear template for it so this is this contains a particular request where you have a path so each if you are exploiting any CV or a file path traversal and uh if it is a get based you should you will always have a path in it and then there is obviously a web request has a web response so here you can see a particular response which is like a which reads the ETC password file and it does do have contains a status code it's like 200 okay so now I know the end point and I know the status code now I know the matcher for it so you you

don't need to like rely on writing python code or Java code to scan and uh you don't even require a programming language to write a nuclear template basically you just need a simple logic and uh that is to write a template so I've written a template already so here basically uh the HTTP request it nuclear supports multiple protocols so one of the protocol is your HTTP and like all the web requests it supports and the other Protocols are like DNS TLS and the networks and Etc so here the templates begins with request blog basically this is a web base template so it begins with request block so the method you have to specify it so the method can be a get method and

the path of the vulnerability I know like this is a path which has been present so basic URL is nothing but like the row uh yep so the list of URLs which are considered to be a basic or uh base URL so you supply the base URL so you supply the URLs which are located here and this will be automatically taken by the nucleon consider to be a base URL and it will do a regex and it will match for this particular Rejects and it will see the status code if it's present or not so basically if you don't know uh uh what like what is request what is good and what is path what is base URL so

there is a specified uh website for documentation that we have worked on and this is the nuclear documentation documentation page and there is a search bar uh if you are like wanted to look into HTTP based templates and unsafe templates raw or basic example of a HTTP template just click on it you will get a basic example of it without even knowing like uh without you if you're like confused with the syntax or you don't know the syntax you can like simply copy paste it and then rewrite the entire template on your own templating right and click on template detail so I specify like what are the infos which are basically needed so the one is the ID the other one is uh the

information tab so where it contains name of the severity medium description so see where it is needed author is needed name is needed so one important thing is the ID should not contain a space so this is done it will be like easy for passing the output with the engine so let's run and see like let's run this template on the Target and like let's see how it works so nuclear I have already installed it so what I'm going to do is like just to check if it's working properly or not so I'm going to save this file in uh yaml so I'm going to use so I've already saved it I'm just closing it and I've

named the file as test.yaml so nuclear hyphen U and uh but the docker is running on Port 8153 so it's turned on zero zero so I will specify the URL schema here so HTTP dot colon double slash 0.0.0.0 and then you can copy the port yep so then we have to specify the template file name hyphen T and Dot yaml

yep so let's see yep so you can see it is detected yet so if you don't know like what happens in back on back end of the nuclear you can always use a flag called debug so it will showcase like how the request went to the web server and how the web server is responding which which status code has been matched so it is always good to have a multiple matches in a template so basically uh how not to write a template is like just remove this and even it will detect and it will be like a false positive we wrote this for a CV and it will detect but it will be a false

positive like because if you run it against example.com or application which always throws a zero one uh status quo is 200. it'll be a false positive so it's good that you contain a multiple matcher so I have added too much minimum like two uh you can have like three match so uh since I know that the response header is uh content type is not mentioned here so the content type is mentioned is like applications uh ostream so we can mention that too so this is one way to add an additional matchup so there will be three matches so there will be zero false positive in results yep so this is the basic template that I've wrote for a vulnerability uh if you

wanted to scan it on your bug Bounty targets uh this CV is already there in nuclear so what you can do is instead of mentioning the file name you can just type nuclear hyphen U instead of putting the file name since it is present you can specify the ID so this is why uh I specify the ID and this is already in the public repository and it's been pushed already so it will take the template from the community uh contribution which are public out there so if you are confused and you wrote a template and you don't know like uh is it correctly written or is it throwing some error or is it working or not you

can always do a validation of the template nuclear hyphen t uh testadioma and then hyphen validate so this will basically validate the template and check uh all the checks are there or not so what we will do here it shows all the templates are validated so how it will look if there is something missing in it so what I will do I will remove colon from here and then we'll save this and see if it throws an error

okay you can see it clearly shows that uh the line 18 mapping variable is not allowed in the context because this is not in a part of a syntax so if you are struggling with some error uh feel free to join our Discord server or reach out to any of the people from the PD team they will help you out it it's better to always use uh validate it before pushing to the public template so this is how you can validate the template yourself before pushing it or run it running it at the scale yeah so let's move to the next slide

yep so I have already explained the concept of nuclear template is the yaml based and human readable and easy to uh write and code and that's it so the power of nuclear templates basically uh it is totally Community Driven and there are like 500 plus contributors from different uh different parts of the country different part of the world it can be exploited like testing a single volumity at a larger scale and writing a bone custom tablet for your own needs and suppose DLS HTTP and web sockets and headless so I will show you uh real-time scenario which I encountered two years back when I started writing a template so testing a single vulnerability large scale and

writing custom nuclear templates for your own need so back in 2020 uh I was doing a pen test in our company hi Robert it's Elizabeth so this is an uh this is a vulnerability of a out of bound log method xxc uh it was found in a risk management portal this is an unauthenticated vulnerability and you can see it is a lock method but most of the people doesn't test for a lock method and we know already like lock method or accepts XML data in the in the body so what I did is like after spending uh one week of time uh we ended up in a zero day in a product and uh I

just have around like one day to scan around like thousands of domains and uh I have to cross check it at a without like not to report false positive and after uh I thought like I have not much coded into it so I thought okay let's try to write a nuclear template so what I did is I wrote a nuclear template for it and it contained a match for two matches at the initial stage uh it was not a rejects you can write it for rejects as well and it contains status code 500 and I know like it had a root and uh there we are trying to read a etc password so after running it uh we

found 36 xxe uh on their customer clients and they fixed it within a week and they were like super happy like it was found and not been exploited or not been abused so the it is the criticality like having your custom templates and making use of it and this is how it is done if you're like using the public templates and you will be end up in duplicates but if you are going to monitor the assert and then run nuclear on it then you can make some boundaries or like you can make some good hits so this is on of the scenario exploiting a vulnerability at a larger scale so supports different protocol TLS HTTP

DNS and websocket so if you go to the template guide you can see uh HTTP is there and HTTP there are like different methods of HTTP is the Headless Network so most of the templates that we have received are like around like 70 percentage of templates which are from the public repo like web-based templates and we are planning to increase on the network level templates source code scanning API scanning and token spraying and headless templates so ah if you're like more interested to do some research on network based templates and uh you're doing infrastructure by testing and network band testing you can always uh have a look at it and there is a fingerprint scanner which we have

released uh if you're like interested in uh doing some research on network based template you can have a look at that so the next one yeah so this is the statistics of the community power templates which are there so basically you can clearly see there are like totally there are like 4023 templates right now uh in the last release so out of them like 583 were pushed from uh project a series and then like Community Driven templates are like three thousand four forty it's a huge number and like totally uh Community Driven in it basically we get inputs from the community and like try to enhance the engine and then try to support as many

test cases and uh this is one of the test case like you can do race condition using nuclear uh the stuff that you do in both suit like battering uh sniper attack and password spraying and other stuffs so this is something like uh the feedback that we come get from the community and then try to implement it so it's totally like Community power templates next slide yep so if anyone here from the contributors like this this is specifically for you like uh there are like 500 contributors so far uh within a Spam of two years since this project starter so thanks to all the people who are contributed to the uh template repository and other

repositories of project Discovery and we are looking forward for the more contribution in the future so how it works uh so I've explained HTTP starts with the HTTP request block and then the matchup block I have already explained it and there are like different matches uh apart from the word matches so you can use regex and DSL DSL is nothing much like a data structure language which which is something which supports multiple uh different kinds of matter in the response and it supports binary too so this is the basic template uh this was a scenario actually which inspired me to start writing a template so I was reading a Blog on docker and it contained uh reports it contained

the image just lesson uh Json endpoint exposed so what I thought was like this is the vulnerable endpoint and the responses of Json obviously so response is contained or the following variables like parent ID container and label so this was unique actually so I was doing in a redeeming project so we have to scan around like two thousand three thousand domains and without getting detected so what we did is uh we wrote a template for this and we used the proxy to rotate the IPS on each request so the IPS would be getting changed without being detected and we found some exposed uh Docker and then we were trying to exploiting it so these are some of the real life

scenarios so that nuclei can help and nuclear templates can be like returned writing raw templates with rejects matches this is interesting right so you might have know the left right screen is from the repeater Tab and uh when you do some post authentication or uh when you're trying to do some uh multiple chained exploits like which contains an upload functionality and then after shell upload you want to see the Shelf file or like it's basically like a raw request which you see in the Box it can be converted into template so if you're like struggling to create a template you for raw you can always rely on both sort plugin for nuclear so it is very handy

and you can try to I will show you in the large slide so this is just a basic example with a regex so this is our request looks and the response we are trying to uh read the ETC slash password next this is something interesting extractors so ah let us consider an example like you found a Google map API key in a URL and uh and you wanted to write a template so you wanted to extract the uh API key and show it in the nuclear output so extractors can be like used to print the output as well and it can be changed to use it to rewrite it in a dynamic extractor so this is normal extractor it

will be if you are not using internal true it will always try to print it out so there are other test cases like Autobahn testing with uh interact sh placeholder so recently like when log4j came uh I think literally internet sh were like many people were using nuclear to export log 4G and we have a pretty good uh good recent log project templates are nuclear like no other scanner has we have around like 15 different products for log4j specifically for uh after burn testing yep so this is a sample testing uh this is for metabase log 4G so here you can see uh the interface research URLs pin it's a placeholder basically it generates a

Dynamic URL similar to the web collaborator for testing autobund request so it supports both the protocol DNS hit if you get a DNS hidden verbular collaborator and uh you cannot keep the work collaborator for a longer time if you are like doing some afterburn testing you don't know like when you will get the hit back so it's better like you have a host your own interact server or a one server and you can use it here so you here you can see uh it prints out it uses regex and uh the part of the interest and liquids it will try to print out the OS name in the response so you can basically uh see it is it has printed

out uh Linux here this is the operating system of this target so this is how interact is this has been used so if you are doing some outer burn testing you can try interrupt ssh in the template yep Dynamic extractor so recently uh I was writing a CV for a nutrition vulnerability where we used Dynamic extractors to gather the end points from the first request and try to use it on the second request so I will Showcase in the last it's a demo so writing an authenticate and template with DSL matches so many people will were thinking like it's an unauthenticated scanner basically if only for web but it's it also supports uh authenticator templates so basically

if you can see uh in the public repository we have specifically mentioned authenticated tax so that uh if the user specifies the if you want to run a template based on authenticated templates so nuclear hyphenyl let me put let's use example.com and uh hyphen tags authenticated hyphen way okay why do I do it I think it should load so you can see uh some of the authenticated templates has been load so you should get a question like why the variable names have been not specified so authenticated templates like used to have a username and password so you can specify uh the variable names in the CLI so that it will do the authentication for you and

it will try to exploit the vulnerability for you

hyphen where you can specify the username ah let's put PD time and then hyphen where password so for the time being uh I will load a template which is authenticated so cve 2022 1937 2022. 1937 so what I will do uh to show you what is happening in the background uh I will use proxy

so that I can show you that uh username's password has been supplied and how the template is making a request so it will not do the detection part but you know that it supports authenticated templates okay no valid templates phone 1937 okay I have used uh I should use ID not t so Yep this is good

yep let's check through the board so let's try yep so here you can see here I hope it is visible so here you the it is a WordPress login template a authenticated template so it hits the wp login page and supplies the username and password and it will check it will do if it is if it is successful uh since it shows like 404 not phone it's not a WordPress instant so this is how to run an authenticator template if you are having a if you had some got some credential of a WordPress instance and you wanted to check what are the plugins it might have and you wanted to do Post exploitation of it you can rely on the authenticator

tags and you can specify uh the other tags as well yeah so this is how the main interesting part is here to notice it it uses cookie reuse basically uh this is a particular syntax it it act Tesla it act as a browser-based session and when we try to login into a uh login portal or WordPress instance the cookie used to be created so it tried to pass the cookie in the next request and then try to see if it is authenticated or not so yep yeah this is another example scenario uh this is PTC Ram straight like stating that uh there is a vulnerability for a POC which been released and uh it just

took me two minutes or one minute less than to write a template and push it to the public repository because nuclear is totally relying on the request response and stick matcher and then boom you can get a nuclear template so on the left side you can see we have the request and we know what is the end point and we have the response we have the matcher so likewise like if you are like struggling uh you can use buffer plugin to create a template if you do if you are like more beginner you can always go with the documentation part yeah so I wrote this template so there is another interesting part when you have multiple endpoint you can always

use a flag called the syntax called stop at first match so there are like two endpoints in this slide so when it matches for the first end point and it doesn't if it is matched uh it won't try to run the execute the second endpoint so that the requests get reduced yep so you can run it on a bug Bounty Target to check it so very fast so yeah so this is the recent zero uh vulnerability which was uh discovered by Grand View uh it was a CV for atlassian and it was a command injection vulnerability and uh the POC was out by testinal and we were looking at the POC we found that we have

the request but one of the interesting fact we encountered were like the project name and the repository name can be different actually so what we did is uh we used extracted to extract the project names from the first request and then we used internal true to Dynamic extractor to use it reuse it in the next request and we already know uh it contains a response body uid and it within the bracket it contained the what is the name of it and we know the response content type is like application suggestion and there is one more exception error which was common at Clash and bitbucket so what we did is uh yep let me show you

I have set up a vulnerable instance for it

yep so this is running on Docker basically on Port 990 so this is the first requester so here you can see there are like multiple uh slung name it's called demo and uh there is another slang name uh project Discovery there is another uh name called test so before digging deep into the uh endpoints I will show you how how this bit packet looks and why it is like vulnerable let's open it and ignito so if a big bucket has a project which is like public it will have this endpoint called projects like if the company is willing to showcase the repositories like public and uh they can basically uh log if you're like having

an administrator access you can basically log in and I will show you that too yo projects so this is already authenticated and you can see that this demo project is not public but the project Discovery and test projects are like public so in this endpoint uh okay

okay yep so here only like two of the things were shown but when we hit the endpoint there were like three projects like demo project discover and test so the challenge here is to you have to enumerate all the project names and then do an iteration and then check uh which which in which place the vulnerability occurs so we have to write a complex template for it so what we did is uh we wrote a template for it so first request uh this is the first request which contains a repository uh details which are public and which are like which are mentioned there and this is the second request so I have installed a nuclear bow plugin

already so if you are like not aware of nuclear to have a bug plugin if you are using a paid version uh just go to Bob sort refresh the list you should be able to see it and uh if you're using a Community Edition uh just go to burp sort uh go to our project Discovery and then search for burps or Plugin and then you will be able to see a jar file there just load the jar file from the extender Tab and then you will be able to see it over here yep let's go to the proxy tab so this is the first request called Repose and this is the second request so there are like

two requests involved in this request so verbs would nuclear plugin what is it like just uh select the first request and the second request and right click it go to the extension uh click on generate template that's it so it basically sends to uh it makes a unsafe request like there are request and then uh okay so it doesn't have a match array so if you are like trying to have a matchup for this you can type it manually or else like I will show you how how the matter has been made so this is the first template that I show since I have cell if you have the response and you can select the

response and create a manager for it so whatever I will go to proxy so I know this matcher exception is there so I will select it click on extension and add matcher to the sixth tab so if you go to the sixth tab so we have one match so like ways like we should add multiple matchup for it since it's a complicated template uh I will I will just showcase the template like how it has been made so basically we extract we used to we copied this Intel Json response in a txt file

so this is the Json response for the first request so we are going to use JQ to uh basically extract the key values and the slung values

so this is the command for it I'm just going to hmm okay okay single quote is missing

okay let's try it okay so we have extracted the slang value so similarly we have to extract the key value for it and we can use JQ and it will we will include one more uh flag in it which is called iteration all which will do the iteration and we will be able to uh try each repository on the each request so if it is uh if it hits on the first demo uh demo request we should also make sure that it doesn't try the other ones so since demo is not public so we will be trying project Discovery and test so this is how the entire template will look like so here we are using extractor

and the type of the extractor is Json so we should use internal true so that uh it doesn't print and it passes the request to the next URL and the stop at first match basically we we have three three different types of slugs and keys so it will just check one and if it is matched for the first one boom like it will not all check for the other ones and the status code we know like it's it is having status code 500 and this particular keyword is there so we will save this template so we have the Target here

yep so you can see it has printed out the bit bucket so there is a rejects it has been written uh and group one has been used which prints the uh hostname of it so that's it so this is how we wrote a complex template for a new vulnerability so here we identify that uh if you want if there is there is one case I have missed it so we have used a variable called Data so Rand base five means like it automatically generates five random uh alphabets and it can be of anything so I can show you by doing the debug yo so you here you can see uh like there is a five uh alphabets and

numeric characters of five digit if you wanted to specify like a like normally like test and it will be like detected by web so it is good to have a random string which has been generated and it has taken the test repository because uh we know that there is a postal demo which is not public but it is kept in as a private so it took the public repository from here and it did a exploitation and we we were able to identify that this vulnerability spin like can be like exploited at a scale yeah so next is Bob so nuclear burp plugin so there are like certain things uh you can see there is a tab over here

or like have your animal like have used bobsled plugin for uh nuclear specifically yeah yeah so that is there is a CV ID uh let's take there is no CV ID for it uh let me put cvid 2000 twenty two one two three four just random CV ID and I wanted to put the description reference link and other details into the template so what I can do is right click on it go to add or classification CV and uh specify the CV like 2020 too and one two three four and click on OK so what it does is it does it make a API call and it populates all the details for you which is very

easy so this is one of the trick and uh you can click on this particular dialog box and press uh command or and it will have a drop down menu uh it helps to like uh tell you what are the help options available in the nuclear Buffet plugin yeah so that it basically acts as a CLI if I if I do ID it will say uh what is my username and the system and it is best a CLI but it has been integrated with the plugin there are many cool features in it yep good this is some of the interesting facts of playing yeah yeah these are the reference uh feel free to check it out uh how to write

templates if you have any confusions we uh you can have take a look at these reference links and finally uh we do have a reel for the video for this year uh This Is 2020 project Discovery let's play it my favorite open source crew probably Discovery is going full time it's so cool they they just secured 1.7 million dollars in funding uh to take their tooling to the next level so everyone that's involved in that congratulations but today I will convince you that this tool is amazing and obviously I am talking about nuclei I love this vulnerability scanner and speaking of automation the heroes of Automation and the ones that kind of change the game with all

that product Discovery again um when they created a nucleiad I realized that this could be extremely powerful this could be extremely powerful and I think Charlotte also realized it in his own ways allows us to really do whatever we need to do so we create our templates where we feed nuclear templates we replay these targets and it will go and run and do your stance so there's nuclei from Project Discovery um I think everybody has heard about that with nuclei what I love about it is all of this is standardized with the gamble templates and so now our team can respond to vulnerabilities by all speaking the same language yesterday the new struts vulnerability came out right

and building a template for that vulnerability just to check for the path that it could be present on is like six lines in yaml right it's it's amazing it's super easy to build your own scans the level up

this changed the game right when this tool was released because suddenly everyone had pretty decent Automation and vulnerability scanning capabilities just with this tool all the thousands of sub domains and tens and hundreds of thousands of endpoints and JavaScript files and parameters and what have you um and I don't really know what to do with them all you run me API templates all over them that's the answer it has uh you know 1 000 plus cve checks uh 100 plus informational detections that give you information about different Technologies over 500 admin panel Checkers and uh you know a total of over 3 000 total templates that give you security information about a sec this is

a really really really awesome project I love nuclei and I'm glad that project Discovery is really putting a lot of work behind it proof of Concepts

one of the interesting things about this tool is they claim that by using the template system that they provide this leads to zero false positives and one of the really cool things about this is over 100 security researchers and Engineers have put forth different templates that can then be used when you download nuclei and start using it as a vulnerability scanner yesterday

how do you make sure that that vulnerability never ever occurs in your product again well write a nuclei templates for it integrate that in your CI CD yeah I mean project Discovery is one of those teams that just as soon as they find a piece of the tool chain that needs to be solved better they'll just immediately write it like a lot of their tools end up being the the ones that you you check out right seems like I'm fanboying I'm pretty discovered it lately but hey maybe I am maybe that's what maybe that's what I'm doing is this the is this the project to cover Discovery stream who knows yeah that's it yep feel free to join our Discord server

you can just simply scan the QR code and you'll be in thank you thank you Diana thank you for explaining all of this as simple as you can