SYNTAX REFERENCE

Template

Template is a YAML input file which defines all the requests and other metadata for a template.

<code>id</code> <i>string</i>

ID is the unique id for the template.

Good IDs

A good ID uniquely identifies what the requests in the template are doing. Let's say you have a template that identifies a git-config file on the webservers, a good name would be git-config-exposure. Another example name is azure-apps-nxdomain-takeover.

Examples:

# ID Example
id: CVE-2021-19520

<code>info</code> <i><a href="#modelinfo">model.Info</a></i>

Info contains metadata information about the template.

Examples:

info:
    name: Argument Injection in Ruby Dragonfly
    author: 0xspara
    tags: cve,cve2021,rce,ruby
    reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
    severity: high

<code>flow</code> <i>string</i>

description: | Flow contains the execution flow for the template. examples:

• flow: | for region in regions { http(0) } for vpc in vpcs { http(1) }

<code>requests</code> <i>[]<a href="#httprequest">http.Request</a></i>

Requests contains the http request to make in the template. WARNING: 'requests' will be deprecated and will be removed in a future release. Please use 'http' instead.

Examples:

requests:
    matchers:
        - type: word
          words:
            - '[core]'
        - type: dsl
          condition: and
          dsl:
            - '!contains(tolower(body), ''<html'')'
            - '!contains(tolower(body), ''<body'')'
        - type: status
          status:
            - 200
    matchers-condition: and
    path:
        - '{{BaseURL}}/.git/config'
    method: GET

<code>http</code> <i>[]<a href="#httprequest">http.Request</a></i>

description: | HTTP contains the http request to make in the template. examples:

• value: exampleNormalHTTPRequest RequestsWithHTTP is placeholder(internal) only, and should not be used instead use RequestsHTTP Deprecated: Use RequestsHTTP instead.

<code>dns</code> <i>[]<a href="#dnsrequest">dns.Request</a></i>

DNS contains the dns request to make in the template

Examples:

dns:
    extractors:
        - type: regex
          regex:
            - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
            - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
    name: '{{FQDN}}'
    type: CNAME
    class: inet
    retries: 2
    recursion: false

<code>file</code> <i>[]<a href="#filerequest">file.Request</a></i>

File contains the file request to make in the template

Examples:

file:
    extractors:
        - type: regex
          regex:
            - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
    extensions:
        - all

<code>network</code> <i>[]<a href="#networkrequest">network.Request</a></i>

Network contains the network request to make in the template WARNING: 'network' will be deprecated and will be removed in a future release. Please use 'tcp' instead.

Examples:

network:
    host:
        - '{{Hostname}}'
        - '{{Hostname}}:2181'
    inputs:
        - data: "envi\r\nquit\r\n"
    read-size: 2048
    matchers:
        - type: word
          words:
            - zookeeper.version

<code>tcp</code> <i>[]<a href="#networkrequest">network.Request</a></i>

description: | TCP contains the network request to make in the template examples:

• value: exampleNormalNetworkRequest RequestsWithTCP is placeholder(internal) only, and should not be used instead use RequestsNetwork Deprecated: Use RequestsNetwork instead.

<code>headless</code> <i>[]<a href="#headlessrequest">headless.Request</a></i>

Headless contains the headless request to make in the template.

<code>ssl</code> <i>[]<a href="#sslrequest">ssl.Request</a></i>

SSL contains the SSL request to make in the template.

<code>websocket</code> <i>[]<a href="#websocketrequest">websocket.Request</a></i>

Websocket contains the Websocket request to make in the template.

<code>whois</code> <i>[]<a href="#whoisrequest">whois.Request</a></i>

WHOIS contains the WHOIS request to make in the template.

<code>code</code> <i>[]<a href="#coderequest">code.Request</a></i>

Code contains code snippets.

<code>javascript</code> <i>[]<a href="#javascriptrequest">javascript.Request</a></i>

Javascript contains the javascript request to make in the template.

<code>self-contained</code> <i>bool</i>

Self Contained marks Requests for the template as self-contained

<code>stop-at-first-match</code> <i>bool</i>

Stop execution once first match is found

<code>signature</code> <i><a href="#httpsignaturetypeholder">http.SignatureTypeHolder</a></i>

Signature is the request signature method WARNING: 'signature' will be deprecated and will be removed in a future release. Prefer using 'code' protocol for writing cloud checks

Valid values:

• <code>AWS</code>

<code>variables</code> <i><a href="#variablesvariable">variables.Variable</a></i>

Variables contains any variables for the current request.

<code>constants</code> <i>map[string]interface{}</i>

Constants contains any scalar constant for the current template

model.Info

Info contains metadata information about a template

Appears in:

• <code><a href="#template">Template</a>.info</code>

name: Argument Injection in Ruby Dragonfly
author: 0xspara
tags: cve,cve2021,rce,ruby
reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
severity: high

<code>name</code> <i>string</i>

Name should be good short summary that identifies what the template does.

Examples:

name: bower.json file disclosure

name: Nagios Default Credentials Check

<code>author</code> <i><a href="#stringslicestringslice">stringslice.StringSlice</a></i>

Author of the template.

Multiple values can also be specified separated by commas.

Examples:

author: <username>

<code>tags</code> <i><a href="#stringslicestringslice">stringslice.StringSlice</a></i>

Any tags for the template.

Multiple values can also be specified separated by commas.

Examples:

# Example tags
tags: cve,cve2019,grafana,auth-bypass,dos

<code>description</code> <i>string</i>

Description of the template.

You can go in-depth here on what the template actually does.

Examples:

description: Bower is a package manager which stores package information in the bower.json file

description: Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations

<code>impact</code> <i>string</i>

Impact of the template.

You can go in-depth here on impact of the template.

Examples:

impact: Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.

impact: Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.

<code>reference</code> <i><a href="#stringslicerawstringslice">stringslice.RawStringSlice</a></i>

References for the template.

This should contain links relevant to the template.

Examples:

reference:
    - https://github.com/strapi/strapi
    - https://github.com/getgrav/grav

<code>severity</code> <i><a href="#severityholder">severity.Holder</a></i>

Severity of the template.

<code>metadata</code> <i>map[string]interface{}</i>

Metadata of the template.

Examples:

metadata:
    customField1: customValue1

<code>classification</code> <i><a href="#modelclassification">model.Classification</a></i>

Classification contains classification information about the template.

<code>remediation</code> <i>string</i>

Remediation steps for the template.

You can go in-depth here on how to mitigate the problem found by this template.

Examples:

remediation: Change the default administrative username and password of Apache ActiveMQ by editing the file jetty-realm.properties

stringslice.StringSlice

StringSlice represents a single (in-lined) or multiple string value(s). The unmarshaller does not automatically convert in-lined strings to []string, hence the interface{} type is required.

Appears in:

• <code><a href="#modelinfo">model.Info</a>.author</code>

• <code><a href="#modelinfo">model.Info</a>.tags</code>

• <code><a href="#modelclassification">model.Classification</a>.cve-id</code>

• <code><a href="#modelclassification">model.Classification</a>.cwe-id</code>

<username>

# Example tags
cve,cve2019,grafana,auth-bypass,dos

CVE-2020-14420

CWE-22

stringslice.RawStringSlice

Appears in:

• <code><a href="#modelinfo">model.Info</a>.reference</code>

- https://github.com/strapi/strapi
- https://github.com/getgrav/grav

severity.Holder

Holder holds a Severity type. Required for un/marshalling purposes

Appears in:

• <code><a href="#modelinfo">model.Info</a>.severity</code>

<code></code> <i>Severity</i>

Enum Values:

• <code>undefined</code>

• <code>info</code>

• <code>low</code>

• <code>medium</code>

• <code>high</code>

• <code>critical</code>

• <code>unknown</code>

model.Classification

Appears in:

• <code><a href="#modelinfo">model.Info</a>.classification</code>

<code>cve-id</code> <i><a href="#stringslicestringslice">stringslice.StringSlice</a></i>

CVE ID for the template

Examples:

cve-id: CVE-2020-14420

<code>cwe-id</code> <i><a href="#stringslicestringslice">stringslice.StringSlice</a></i>

CWE ID for the template.

Examples:

cwe-id: CWE-22

<code>cvss-metrics</code> <i>string</i>

CVSS Metrics for the template.

Examples:

cvss-metrics: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

<code>cvss-score</code> <i>float64</i>

CVSS Score for the template.

Examples:

cvss-score: "9.8"

<code>epss-score</code> <i>float64</i>

EPSS Score for the template.

Examples:

epss-score: "0.42509"

<code>epss-percentile</code> <i>float64</i>

EPSS Percentile for the template.

Examples:

epss-percentile: "0.42509"

<code>cpe</code> <i>string</i>

CPE for the template.

Examples:

cpe: cpe:/a:vendor:product:version

http.Request

Request contains a http request to be made from a template

Appears in:

• <code><a href="#template">Template</a>.requests</code>

• <code><a href="#template">Template</a>.http</code>

matchers:
    - type: word
      words:
        - '[core]'
    - type: dsl
      condition: and
      dsl:
        - '!contains(tolower(body), ''<html'')'
        - '!contains(tolower(body), ''<body'')'
    - type: status
      status:
        - 200
matchers-condition: and
path:
    - '{{BaseURL}}/.git/config'
method: GET

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon
• <code>type</code> - Type is the type of request made
• <code>request</code> - HTTP request made from the client
• <code>response</code> - HTTP response received from server
• <code>status_code</code> - Status Code received from the Server
• <code>body</code> - HTTP response body received from server (default)
• <code>content_length</code> - HTTP Response content length
• <code>header,all_headers</code> - HTTP response headers
• <code>duration</code> - HTTP request time duration
• <code>all</code> - HTTP response body + headers
• <code>cookies_from_response</code> - HTTP response cookies in name:value format
• <code>headers_from_response</code> - HTTP response headers in name:value format

<code>path</code> <i>[]string</i>

Path contains the path/s for the HTTP requests. It supports variables as placeholders.

Examples:

# Some example path values
path:
    - '{{BaseURL}}'
    - '{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions'

<code>raw</code> <i>[]string</i>

Raw contains HTTP Requests in Raw format.

Examples:

# Some example raw requests
raw:
    - |-
      GET /etc/passwd HTTP/1.1
      Host:
      Content-Length: 4
    - |-
      POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
      Content-Length: 1
      Connection: close

      echo
      echo
      cat /etc/passwd 2>&1

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>name</code> <i>string</i>

Name is the optional name of the request.

If a name is specified, all the named request in a template can be matched upon in a combined manner allowing multi-request based matchers.

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

Valid values:

• <code>batteringram</code>

• <code>pitchfork</code>

• <code>clusterbomb</code>

<code>method</code> <i><a href="#httpmethodtypeholder">HTTPMethodTypeHolder</a></i>

Method is the HTTP Request Method.

<code>body</code> <i>string</i>

Body is an optional parameter which contains HTTP Request body.

Examples:

# Same Body for a Login POST request
body: username=test&password=test

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

<code>headers</code> <i>map[string]string</i>

Headers contains HTTP Headers to send with the request.

Examples:

headers:
    Any-Header: Any-Value
    Content-Length: "1"
    Content-Type: application/x-www-form-urlencoded

<code>race_count</code> <i>int</i>

RaceCount is the number of times to send a request in Race Condition Attack.

Examples:

# Send a request 5 times
race_count: 5

<code>max-redirects</code> <i>int</i>

MaxRedirects is the maximum number of redirects that should be followed.

Examples:

# Follow up to 5 redirects
max-redirects: 5

<code>pipeline-concurrent-connections</code> <i>int</i>

PipelineConcurrentConnections is number of connections to create during pipelining.

Examples:

# Create 40 concurrent connections
pipeline-concurrent-connections: 40

<code>pipeline-requests-per-connection</code> <i>int</i>

PipelineRequestsPerConnection is number of requests to send per connection when pipelining.

Examples:

# Send 100 requests per pipeline connection
pipeline-requests-per-connection: 100

<code>threads</code> <i>int</i>

Threads specifies number of threads to use sending requests. This enables Connection Pooling.

Connection: Close attribute must not be used in request while using threads flag, otherwise pooling will fail and engine will continue to close connections after requests.

Examples:

# Send requests using 10 concurrent threads
threads: 10

<code>max-size</code> <i>int</i>

MaxSize is the maximum size of http response body to read in bytes.

Examples:

# Read max 2048 bytes of the response
max-size: 2048

<code>fuzzing</code> <i>[]<a href="#fuzzrule">fuzz.Rule</a></i>

Fuzzing describes schema to fuzz http requests

<code>analyzer</code> <i><a href="#analyzersanalyzertemplate">analyzers.AnalyzerTemplate</a></i>

Analyzer is an analyzer to use for matching the response.

<code>self-contained</code> <i>bool</i>

SelfContained specifies if the request is self-contained.

<code>signature</code> <i><a href="#signaturetypeholder">SignatureTypeHolder</a></i>

Signature is the request signature method

Valid values:

• <code>AWS</code>

<code>skip-secret-file</code> <i>bool</i>

SkipSecretFile skips the authentication or authorization configured in the secret file.

<code>cookie-reuse</code> <i>bool</i>

CookieReuse is an optional setting that enables cookie reuse for all requests defined in raw section.

<code>disable-cookie</code> <i>bool</i>

DisableCookie is an optional setting that disables cookie reuse

<code>read-all</code> <i>bool</i>

Enables force reading of the entire raw unsafe request body ignoring any specified content length headers.

<code>redirects</code> <i>bool</i>

Redirects specifies whether redirects should be followed by the HTTP Client.

This can be used in conjunction with max-redirects to control the HTTP request redirects.

<code>host-redirects</code> <i>bool</i>

Redirects specifies whether only redirects to the same host should be followed by the HTTP Client.

This can be used in conjunction with max-redirects to control the HTTP request redirects.

<code>pipeline</code> <i>bool</i>

Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining

All requests must be idempotent (GET/POST). This can be used for race conditions/billions requests.

<code>unsafe</code> <i>bool</i>

Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests.

This uses the rawhttp engine to achieve complete control over the request, with no normalization performed by the client.

<code>race</code> <i>bool</i>

Race determines if all the request have to be attempted at the same time (Race Condition)

The actual number of requests that will be sent is determined by the race_count field.

<code>req-condition</code> <i>bool</i>

ReqCondition automatically assigns numbers to requests and preserves their history.

This allows matching on them later for multi-request conditions.

<code>stop-at-first-match</code> <i>bool</i>

StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.

<code>skip-variables-check</code> <i>bool</i>

SkipVariablesCheck skips the check for unresolved variables in request

<code>iterate-all</code> <i>bool</i>

IterateAll iterates all the values extracted from internal extractors

<code>digest-username</code> <i>string</i>

DigestAuthUsername specifies the username for digest authentication

<code>digest-password</code> <i>string</i>

DigestAuthPassword specifies the password for digest authentication

<code>disable-path-automerge</code> <i>bool</i>

DisablePathAutomerge disables merging target url path with raw request path

<code>pre-condition</code> <i>[]<a href="#matchersmatcher">matchers.Matcher</a></i>

Fuzz PreCondition is matcher-like field to check if fuzzing should be performed on this request or not

<code>pre-condition-operator</code> <i>string</i>

FuzzPreConditionOperator is the operator between multiple PreConditions for fuzzing Default is OR

<code>global-matchers</code> <i>bool</i>

GlobalMatchers marks matchers as static and applies globally to all result events from other templates

generators.AttackTypeHolder

AttackTypeHolder is used to hold internal type of the protocol

Appears in:

• <code><a href="#httprequest">http.Request</a>.attack</code>

• <code><a href="#dnsrequest">dns.Request</a>.attack</code>

• <code><a href="#networkrequest">network.Request</a>.attack</code>

• <code><a href="#headlessrequest">headless.Request</a>.attack</code>

• <code><a href="#websocketrequest">websocket.Request</a>.attack</code>

• <code><a href="#javascriptrequest">javascript.Request</a>.attack</code>

<code></code> <i>AttackType</i>

Enum Values:

• <code>batteringram</code>

• <code>pitchfork</code>

• <code>clusterbomb</code>

HTTPMethodTypeHolder

HTTPMethodTypeHolder is used to hold internal type of the HTTP Method

Appears in:

• <code><a href="#httprequest">http.Request</a>.method</code>

<code></code> <i>HTTPMethodType</i>

Enum Values:

• <code>GET</code>

• <code>HEAD</code>

• <code>POST</code>

• <code>PUT</code>

• <code>DELETE</code>

• <code>CONNECT</code>

• <code>OPTIONS</code>

• <code>TRACE</code>

• <code>PATCH</code>

• <code>PURGE</code>

• <code>Debug</code>

fuzz.Rule

Rule is a single rule which describes how to fuzz the request

Appears in:

• <code><a href="#httprequest">http.Request</a>.fuzzing</code>

• <code><a href="#headlessrequest">headless.Request</a>.fuzzing</code>

<code>type</code> <i>string</i>

Type is the type of fuzzing rule to perform.

replace replaces the values entirely. prefix prefixes the value. postfix postfixes the value and infix places between the values.

Valid values:

• <code>replace</code>

• <code>prefix</code>

• <code>postfix</code>

• <code>infix</code>

<code>part</code> <i>string</i>

Part is the part of request to fuzz.

Valid values:

• <code>query</code>

• <code>header</code>

• <code>path</code>

• <code>body</code>

• <code>cookie</code>

• <code>request</code>

<code>parts</code> <i>[]string</i>

Parts is the list of parts to fuzz. If multiple parts need to be defined while excluding some, this should be used instead of singular part.

Valid values:

• <code>query</code>

• <code>header</code>

• <code>path</code>

• <code>body</code>

• <code>cookie</code>

• <code>request</code>

<code>mode</code> <i>string</i>

Mode is the mode of fuzzing to perform.

single fuzzes one value at a time. multiple fuzzes all values at same time.

Valid values:

• <code>single</code>

• <code>multiple</code>

<code>keys</code> <i>[]string</i>

Keys is the optional list of key named parameters to fuzz.

Examples:

# Examples of keys
keys:
    - url
    - file
    - host

<code>keys-regex</code> <i>[]string</i>

KeysRegex is the optional list of regex key parameters to fuzz.

Examples:

# Examples of key regex
keys-regex:
    - url.*

<code>values</code> <i>[]string</i>

Values is the optional list of regex value parameters to fuzz.

Examples:

# Examples of value regex
values:
    - https?://.*

<code>fuzz</code> <i><a href="#sliceormapslice">SliceOrMapSlice</a></i>

description: | Fuzz is the list of payloads to perform substitutions with. examples:

• name: Examples of fuzz value: > []string{"{{ssrf}}", "{{interactsh-url}}", "example-value"} or x-header: 1 x-header: 2

<code>replace-regex</code> <i>string</i>

replace-regex is regex for regex-replace rule type it is only required for replace-regex rule type

SliceOrMapSlice

Appears in:

• <code><a href="#fuzzrule">fuzz.Rule</a>.fuzz</code>

analyzers.AnalyzerTemplate

AnalyzerTemplate is the template for the analyzer

Appears in:

• <code><a href="#httprequest">http.Request</a>.analyzer</code>

<code>name</code> <i>string</i>

Name is the name of the analyzer to use

Valid values:

• <code>time_delay</code>

• <code>xss_context</code>

<code>parameters</code> <i>map[string]interface{}</i>

Parameters is the parameters for the analyzer

Parameters are different for each analyzer. For example, you can customize time_delay analyzer with sleep_duration, time_slope_error_range, etc. Refer to the docs for each analyzer to get an idea about parameters.

SignatureTypeHolder

SignatureTypeHolder is used to hold internal type of the signature

Appears in:

• <code><a href="#httprequest">http.Request</a>.signature</code>

matchers.Matcher

Matcher is used to match a part in the output from a protocol.

Appears in:

• <code><a href="#httprequest">http.Request</a>.pre-condition</code>

<code>type</code> <i><a href="#matchertypeholder">MatcherTypeHolder</a></i>

Type is the type of the matcher.

<code>condition</code> <i>string</i>

Condition is the optional condition between two matcher variables. By default, the condition is assumed to be OR.

Valid values:

• <code>and</code>

• <code>or</code>

<code>part</code> <i>string</i>

Part is the part of the request response to match data from.

Each protocol exposes a lot of different parts which are well documented in docs for each request type.

Examples:

part: body

part: raw

<code>negative</code> <i>bool</i>

Negative specifies if the match should be reversed It will only match if the condition is not true.

<code>name</code> <i>string</i>

Name of the matcher. Name should be lowercase and must not contain spaces or underscores (_).

Examples:

name: cookie-matcher

<code>status</code> <i>[]int</i>

Status are the acceptable status codes for the response.

Examples:

status:
    - 200
    - 302

<code>size</code> <i>[]int</i>

Size is the acceptable size for the response

Examples:

size:
    - 3029
    - 2042

<code>words</code> <i>[]string</i>

Words contains word patterns required to be present in the response part.

Examples:

# Match for Outlook mail protection domain
words:
    - mail.protection.outlook.com

# Match for application/json in response headers
words:
    - application/json

<code>regex</code> <i>[]string</i>

Regex contains Regular Expression patterns required to be present in the response part.

Examples:

# Match for Linkerd Service via Regex
regex:
    - (?mi)^Via\\s*?:.*?linkerd.*$

# Match for Open Redirect via Location header
regex:
    - (?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)example\\.com.*$

<code>binary</code> <i>[]string</i>

Binary are the binary patterns required to be present in the response part.

Examples:

# Match for Springboot Heapdump Actuator "JAVA PROFILE", "HPROF", "Gunzip magic byte"
binary:
    - 4a4156412050524f46494c45
    - 4850524f46
    - 1f8b080000000000

# Match for 7zip files
binary:
    - 377ABCAF271C

<code>dsl</code> <i>[]string</i>

DSL are the dsl expressions that will be evaluated as part of nuclei matching rules. A list of these helper functions are available here.

Examples:

# DSL Matcher for package.json file
dsl:
    - contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200

# DSL Matcher for missing strict transport security header
dsl:
    - '!contains(tolower(all_headers), ''''strict-transport-security'''')'

<code>xpath</code> <i>[]string</i>

XPath are the xpath queries expressions that will be evaluated against the response part.

Examples:

# XPath Matcher to check a title
xpath:
    - /html/head/title[contains(text(), 'How to Find XPath')]

# XPath Matcher for finding links with target="_blank"
xpath:
    - //a[@target="_blank"]

<code>encoding</code> <i>string</i>

Encoding specifies the encoding for the words field if any.

Valid values:

• <code>hex</code>

<code>case-insensitive</code> <i>bool</i>

CaseInsensitive enables case-insensitive matches. Default is false.

Valid values:

• <code>false</code>

• <code>true</code>

<code>match-all</code> <i>bool</i>

MatchAll enables matching for all matcher values. Default is false.

Valid values:

• <code>false</code>

• <code>true</code>

<code>internal</code> <i>bool</i>

description: | Internal when true hides the matcher from output. Default is false. It is meant to be used in multiprotocol / flow templates to create internal matcher condition without printing it in output. or other similar use cases. values:

• false
• true

MatcherTypeHolder

MatcherTypeHolder is used to hold internal type of the matcher

Appears in:

• <code><a href="#matchersmatcher">matchers.Matcher</a>.type</code>

<code></code> <i>MatcherType</i>

Enum Values:

• <code>word</code>

• <code>regex</code>

• <code>binary</code>

• <code>status</code>

• <code>size</code>

• <code>dsl</code>

• <code>xpath</code>

dns.Request

Request contains a DNS protocol request to be made from a template

Appears in:

• <code><a href="#template">Template</a>.dns</code>

extractors:
    - type: regex
      regex:
        - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
        - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
name: '{{FQDN}}'
type: CNAME
class: inet
retries: 2
recursion: false

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon
• <code>request</code> - Request contains the DNS request in text format
• <code>type</code> - Type is the type of request made
• <code>rcode</code> - Rcode field returned for the DNS request
• <code>question</code> - Question contains the DNS question field
• <code>extra</code> - Extra contains the DNS response extra field
• <code>answer</code> - Answer contains the DNS response answer field
• <code>ns</code> - NS contains the DNS response NS field
• <code>raw,body,all</code> - Raw contains the raw DNS response (default)
• <code>trace</code> - Trace contains trace data for DNS request if enabled

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>name</code> <i>string</i>

Name is the Hostname to make DNS request for.

Generally, it is set to {{FQDN}} which is the domain we get from input.

Examples:

name: '{{FQDN}}'

<code>type</code> <i><a href="#dnsrequesttypeholder">DNSRequestTypeHolder</a></i>

RequestType is the type of DNS request to make.

<code>class</code> <i>string</i>

Class is the class of the DNS request.

Usually it's enough to just leave it as INET.

Valid values:

• <code>inet</code>

• <code>csnet</code>

• <code>chaos</code>

• <code>hesiod</code>

• <code>none</code>

• <code>any</code>

<code>retries</code> <i>int</i>

Retries is the number of retries for the DNS request

Examples:

# Use a retry of 3 to 5 generally
retries: 5

<code>trace</code> <i>bool</i>

Trace performs a trace operation for the target.

<code>trace-max-recursion</code> <i>int</i>

TraceMaxRecursion is the number of max recursion allowed for trace operations

Examples:

# Use a retry of 100 to 150 generally
trace-max-recursion: 100

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

Batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

<code>threads</code> <i>int</i>

Threads to use when sending iterating over payloads

Examples:

# Send requests using 10 concurrent threads
threads: 10

<code>recursion</code> <i>dns.bool</i>

Recursion determines if resolver should recurse all records to get fresh results.

<code>resolvers</code> <i>[]string</i>

Resolvers to use for the dns requests

DNSRequestTypeHolder

DNSRequestTypeHolder is used to hold internal type of the DNS type

Appears in:

• <code><a href="#dnsrequest">dns.Request</a>.type</code>

<code></code> <i>DNSRequestType</i>

Enum Values:

• <code>A</code>

• <code>NS</code>

• <code>DS</code>

• <code>CNAME</code>

• <code>SOA</code>

• <code>PTR</code>

• <code>MX</code>

• <code>TXT</code>

• <code>AAAA</code>

• <code>CAA</code>

• <code>TLSA</code>

• <code>ANY</code>

• <code>SRV</code>

file.Request

Request contains a File matching mechanism for local disk operations.

Appears in:

• <code><a href="#template">Template</a>.file</code>

extractors:
    - type: regex
      regex:
        - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
extensions:
    - all

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>matched</code> - Matched is the input which was matched upon
• <code>path</code> - Path is the path of file on local filesystem
• <code>type</code> - Type is the type of request made
• <code>raw,body,all,data</code> - Raw contains the raw file contents

<code>extensions</code> <i>[]string</i>

Extensions is the list of extensions or mime types to perform matching on.

Examples:

extensions:
    - .txt
    - .go
    - .json

<code>denylist</code> <i>[]string</i>

DenyList is the list of file, directories, mime types or extensions to deny during matching.

By default, it contains some non-interesting extensions that are hardcoded in nuclei.

Examples:

denylist:
    - .avi
    - .mov
    - .mp3

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>max-size</code> <i>string</i>

MaxSize is the maximum size of the file to run request on.

By default, nuclei will process 1 GB of content and not go more than that. It can be set to much lower or higher depending on use. If set to "no" then all content will be processed

Examples:

max-size: 5Mb

<code>archive</code> <i>bool</i>

elaborates archives

<code>mime-type</code> <i>bool</i>

enables mime types check

<code>no-recursive</code> <i>bool</i>

NoRecursive specifies whether to not do recursive checks if folders are provided.

network.Request

Request contains a Network protocol request to be made from a template

Appears in:

• <code><a href="#template">Template</a>.network</code>

• <code><a href="#template">Template</a>.tcp</code>

host:
    - '{{Hostname}}'
    - '{{Hostname}}:2181'
inputs:
    - data: "envi\r\nquit\r\n"
read-size: 2048
matchers:
    - type: word
      words:
        - zookeeper.version

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon
• <code>type</code> - Type is the type of request made
• <code>request</code> - Network request made from the client
• <code>body,all,data</code> - Network response received from server (default)
• <code>raw</code> - Full Network protocol data

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>host</code> <i>[]string</i>

Host to send network requests to.

Usually it's set to {{Hostname}}. If you want to enable TLS for TCP Connection, you can use tls://{{Hostname}}.

Examples:

host:
    - '{{Hostname}}'

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

Batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

<code>threads</code> <i>int</i>

Threads specifies number of threads to use sending requests. This enables Connection Pooling.

Connection: Close attribute must not be used in request while using threads flag, otherwise pooling will fail and engine will continue to close connections after requests.

Examples:

# Send requests using 10 concurrent threads
threads: 10

<code>inputs</code> <i>[]<a href="#networkinput">network.Input</a></i>

Inputs contains inputs for the network socket

<code>port</code> <i>string</i>

description: | Port is the port to send network requests to. this acts as default port but is overridden if target/input contains non-http(s) ports like 80,8080,8081 etc. Supports both numeric ports and IANA service names (e.g. ftp, ssh, smtp).

<code>exclude-ports</code> <i>string</i>

description: | ExcludePorts is the list of ports to exclude from being scanned . It is intended to be used with Port field and contains a list of ports which are ignored/skipped

<code>read-size</code> <i>int</i>

ReadSize is the size of response to read at the end

Default value for read-size is 1024.

Examples:

read-size: 2048

<code>read-all</code> <i>bool</i>

ReadAll determines if the data stream should be read till the end regardless of the size

Default value for read-all is false.

Examples:

read-all: false

<code>stop-at-first-match</code> <i>bool</i>

StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.

network.Input

Appears in:

• <code><a href="#networkrequest">network.Request</a>.inputs</code>

<code>data</code> <i>string</i>

Data is the data to send as the input.

It supports DSL Helper Functions as well as normal expressions.

Examples:

data: TEST

data: hex_decode('50494e47')

<code>type</code> <i><a href="#networkinputtypeholder">NetworkInputTypeHolder</a></i>

Type is the type of input specified in data field.

Default value is text, but hex can be used for hex formatted data.

Valid values:

• <code>hex</code>

• <code>text</code>

<code>read</code> <i>int</i>

Read is the number of bytes to read from socket.

This can be used for protocols which expect an immediate response. You can read and write responses one after another and eventually perform matching on every data captured with name attribute.

The network docs highlight more on how to do this.

Examples:

read: 1024

<code>name</code> <i>string</i>

Name is the optional name of the data read to provide matching on.

Examples:

name: prefix

NetworkInputTypeHolder

NetworkInputTypeHolder is used to hold internal type of the Network type

Appears in:

• <code><a href="#networkinput">network.Input</a>.type</code>

<code></code> <i>NetworkInputType</i>

Enum Values:

• <code>hex</code>

• <code>text</code>

headless.Request

Request contains a Headless protocol request to be made from a template

Appears in:

• <code><a href="#template">Template</a>.headless</code>

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon
• <code>type</code> - Type is the type of request made
• <code>req</code> - Headless request made from the client
• <code>resp,body,data</code> - Headless response received from client (default)

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

Batteringram is inserts the same payload into all defined payload positions at once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

<code>steps</code> <i>[]<a href="#engineaction">engine.Action</a></i>

Steps is the list of actions to run for headless request

<code>user_agent</code> <i><a href="#useragentuseragentholder">userAgent.UserAgentHolder</a></i>

descriptions: | User-Agent is the type of user-agent to use for the request.

<code>custom_user_agent</code> <i>string</i>

description: | If UserAgent is set to custom, customUserAgent is the custom user-agent to use for the request.

<code>stop-at-first-match</code> <i>bool</i>

StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.

<code>fuzzing</code> <i>[]<a href="#fuzzrule">fuzz.Rule</a></i>

Fuzzing describes schema to fuzz headless requests

<code>cookie-reuse</code> <i>bool</i>

CookieReuse is an optional setting that enables cookie reuse

<code>disable-cookie</code> <i>bool</i>

DisableCookie is an optional setting that disables cookie reuse

engine.Action

Action is an action taken by the browser to reach a navigation

Each step that the browser executes is an action. Most navigations usually start from the ActionLoadURL event, and further navigations are discovered on the found page. We also keep track and only scrape new navigation from pages we haven't crawled yet.

Appears in:

• <code><a href="#headlessrequest">headless.Request</a>.steps</code>

<code>args</code> <i>map[string]string</i>

Args contain arguments for the headless action. Per action arguments are described in detail here.

<code>name</code> <i>string</i>

Name is the name assigned to the headless action.

This can be used to execute code, for instance in browser DOM using script action, and get the result in a variable which can be matched upon by nuclei. An Example template here.

<code>description</code> <i>string</i>

Description is the optional description of the headless action

<code>action</code> <i><a href="#actiontypeholder">ActionTypeHolder</a></i>

Action is the type of the action to perform.

ActionTypeHolder

ActionTypeHolder is used to hold internal type of the action

Appears in:

• <code><a href="#engineaction">engine.Action</a>.action</code>

<code></code> <i>ActionType</i>

Enum Values:

• <code>navigate</code>

• <code>script</code>

• <code>click</code>

• <code>rightclick</code>

• <code>text</code>

• <code>screenshot</code>

• <code>time</code>

• <code>select</code>

• <code>files</code>

• <code>waitdom</code>

• <code>waitfcp</code>

• <code>waitfmp</code>

• <code>waitidle</code>

• <code>waitload</code>

• <code>waitstable</code>

• <code>getresource</code>

• <code>extract</code>

• <code>setmethod</code>

• <code>addheader</code>

• <code>setheader</code>

• <code>deleteheader</code>

• <code>setbody</code>

• <code>waitevent</code>

• <code>dialog</code>

• <code>keyboard</code>

• <code>debug</code>

• <code>sleep</code>

• <code>waitvisible</code>

userAgent.UserAgentHolder

UserAgentHolder holds a UserAgent type. Required for un/marshalling purposes

Appears in:

• <code><a href="#headlessrequest">headless.Request</a>.user_agent</code>

<code></code> <i>UserAgent</i>

Enum Values:

• <code>random</code>

• <code>off</code>

• <code>default</code>

• <code>custom</code>

ssl.Request

Request is a request for the SSL protocol

Appears in:

• <code><a href="#template">Template</a>.ssl</code>

Part Definitions:

• <code>template-id</code> - ID of the template executed
• <code>template-info</code> - Info Block of the template executed
• <code>template-path</code> - Path of the template executed
• <code>host</code> - Host is the input to the template
• <code>port</code> - Port is the port of the host
• <code>matched</code> - Matched is the input which was matched upon
• <code>type</code> - Type is the type of request made
• <code>timestamp</code> - Timestamp is the time when the request was made
• <code>response</code> - JSON SSL protocol handshake details
• <code>cipher</code> - Cipher is the encryption algorithm used
• <code>domains</code> - Domains are the list of domain names in the certificate
• <code>fingerprint_hash</code> - Fingerprint hash is the unique identifier of the certificate
• <code>ip</code> - IP is the IP address of the server
• <code>issuer_cn</code> - Issuer CN is the common name of the certificate issuer
• <code>issuer_dn</code> - Issuer DN is the distinguished name of the certificate issuer
• <code>issuer_org</code> - Issuer organization is the organization of the certificate issuer
• <code>not_after</code> - Timestamp after which the remote cert expires
• <code>not_before</code> - Timestamp before which the certificate is not valid
• <code>probe_status</code> - Probe status indicates if the probe was successful
• <code>serial</code> - Serial is the serial number of the certificate
• <code>sni</code> - SNI is the server name indication used in the handshake
• <code>subject_an</code> - Subject AN is the list of subject alternative names
• <code>subject_cn</code> - Subject CN is the common name of the certificate subject
• <code>subject_dn</code> - Subject DN is the distinguished name of the certificate subject
• <code>subject_org</code> - Subject organization is the organization of the certificate subject
• <code>tls_connection</code> - TLS connection is the type of TLS connection used
• <code>tls_version</code> - TLS version is the version of the TLS protocol used

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>address</code> <i>string</i>

Address contains address for the request

<code>min_version</code> <i>string</i>

Minimum tls version - auto if not specified.

Valid values:

• <code>sslv3</code>

• <code>tls10</code>

• <code>tls11</code>

• <code>tls12</code>

• <code>tls13</code>

<code>max_version</code> <i>string</i>

Max tls version - auto if not specified.

Valid values:

• <code>sslv3</code>

• <code>tls10</code>

• <code>tls11</code>

• <code>tls12</code>

• <code>tls13</code>

<code>cipher_suites</code> <i>[]string</i>

Client Cipher Suites - auto if not specified.

<code>scan_mode</code> <i>string</i>

description: | Tls Scan Mode - auto if not specified values:

• "ctls"
• "ztls"
• "auto"
  • "openssl" # reverts to "auto" is openssl is not installed

<code>tls_version_enum</code> <i>bool</i>

TLS Versions Enum - false if not specified Enumerates supported TLS versions

<code>tls_cipher_enum</code> <i>bool</i>

TLS Ciphers Enum - false if not specified Enumerates supported TLS ciphers

<code>tls_cipher_types</code> <i>[]string</i>

description: | TLS Cipher types to enumerate values:

• "insecure" (default)
• "weak"
• "secure"
• "all"

websocket.Request

Request is a request for the Websocket protocol

Appears in:

• <code><a href="#template">Template</a>.websocket</code>

Part Definitions:

• <code>type</code> - Type is the type of request made
• <code>success</code> - Success specifies whether websocket connection was successful
• <code>request</code> - Websocket request made to the server
• <code>response</code> - Websocket response received from the server
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>address</code> <i>string</i>

Address contains address for the request

<code>inputs</code> <i>[]<a href="#websocketinput">websocket.Input</a></i>

Inputs contains inputs for the websocket protocol

<code>headers</code> <i>map[string]string</i>

Headers contains headers for the request.

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

websocket.Input

Appears in:

• <code><a href="#websocketrequest">websocket.Request</a>.inputs</code>

<code>data</code> <i>string</i>

Data is the data to send as the input.

It supports DSL Helper Functions as well as normal expressions.

Examples:

data: TEST

data: hex_decode('50494e47')

<code>name</code> <i>string</i>

Name is the optional name of the data read to provide matching on.

Examples:

name: prefix

whois.Request

Request is a request for the WHOIS protocol

Appears in:

• <code><a href="#template">Template</a>.whois</code>

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>query</code> <i>string</i>

Query contains query for the request

<code>server</code> <i>string</i>

description: | Optional WHOIS server URL.

 If present, specifies the WHOIS server to execute the Request on.

Otherwise, nil enables bootstrapping

code.Request

Request is a request for the SSL protocol

Appears in:

• <code><a href="#template">Template</a>.code</code>

Part Definitions:

• <code>type</code> - Type is the type of request made
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon

<code>id</code> <i>string</i>

ID is the optional id of the request

<code>engine</code> <i>[]string</i>

Engine type

<code>pre-condition</code> <i>string</i>

PreCondition is a condition which is evaluated before sending the request.

<code>args</code> <i>[]string</i>

Engine Arguments

<code>pattern</code> <i>string</i>

Pattern preferred for file name

<code>source</code> <i>string</i>

Source File/Snippet

javascript.Request

Request is a request for the javascript protocol

Appears in:

• <code><a href="#template">Template</a>.javascript</code>

Part Definitions:

• <code>type</code> - Type is the type of request made
• <code>response</code> - Javascript protocol result response
• <code>host</code> - Host is the input to the template
• <code>matched</code> - Matched is the input which was matched upon

<code>id</code> <i>string</i>

description: | ID is request id in that protocol

<code>init</code> <i>string</i>

Init is javascript code to execute after compiling template and before executing it on any target This is helpful for preparing payloads or other setup that maybe required for exploits

<code>pre-condition</code> <i>string</i>

PreCondition is a condition which is evaluated before sending the request.

<code>args</code> <i>map[string]interface{}</i>

Args contains the arguments to pass to the javascript code.

<code>code</code> <i>string</i>

Code contains code to execute for the javascript request.

<code>stop-at-first-match</code> <i>bool</i>

StopAtFirstMatch stops processing the request at first match.

<code>attack</code> <i><a href="#generatorsattacktypeholder">generators.AttackTypeHolder</a></i>

Attack is the type of payload combinations to perform.

Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates permutations and combinations for all payloads.

<code>threads</code> <i>int</i>

Payload concurrency i.e threads for sending requests.

Examples:

# Send requests using 10 concurrent threads
threads: 10

<code>payloads</code> <i>map[string]interface{}</i>

Payloads contains any payloads for the current request.

Payloads support both key-values combinations where a list of payloads is provided, or optionally a single file can also be provided as payload which will be read on run-time.

http.SignatureTypeHolder

SignatureTypeHolder is used to hold internal type of the signature

Appears in:

• <code><a href="#template">Template</a>.signature</code>

variables.Variable

Variable is a key-value pair of strings that can be used throughout template.

Appears in:

• <code><a href="#template">Template</a>.variables</code>