This will be a summarization of the original nuclei template documentation which can be found here: https://nuclei.projectdiscovery.io/templating-guide/
This guide will explain and demonstrate the template creation process in a short and simplified way for better understanding.
We all know that everything needs a unique identifier for themselves to make themselves easy to identify among other similar kinds. When we are in a school or university, our roll number or university registration number are our identifier by when school or university keep tracks of their students.
Similarly, these templates has a unique id by which they are generally identified. This should be the first line of our YAML template and the value of which will define our scan result.
id: nginx-version
The above picture shows how it reflects back in the output.
Next most important information is our details, something like name, address, education, contact number , etc. These templates have something similar to this, and these are generally included inside the info block.
Info block provides name, author, description, severity and tags. It also contain severity field which indicates the severity of the template, when it comes to severity it can be too easy to filter out results according to severity.
info: name: nginx version detect author: hacktifycs description: Some nginx servers have the version on the response header. Useful when you need to find specific CVEs on your targets. severity: info
This above block can be an example of information block. Where we can specify the above name, author, description, severity according to the requirement.
Another important attribute that can be added is tags. This allows you to set some custom tags to a template, depending on the purpose like cve, rce, git, etc
So now, as we have already discussed the most important details of nuclei template this is the time we want to introduce an awesome descriptive documentation for nuclei templates which can be found here:https://nuclei.projectdiscovery.io/templating-guide/
In this guide we will look more into the gist of each and every block and tags that should be considered by everyone who has or going to start developing nuclei templates.
Let's move on and start learning the core concept of developing nuclei templates.
HTTP (Hypertext Transfer Protocol) is a protocol which allows the fetching of resources, such as HTML documents, CSS files. It is the foundation of any data exchange on the Web and it is a client-server protocol, It is used for sending and getting data to and from server and modifying the data on server.
Now that you are aware of what HTTP is, Let us look at some major blocks we need to consider while developing a HTTP based template.
In Nuclei Templates, HTTP requests starts from a request block
The syntax is shown below:
requests:
{Contents of the block}
In HTTP, methods are something after which we can do the require task, like for sending data to server, POST method is required, while for getting any data from server, GET method is required. According to the requirement we must include the method of the request that the template is supposed to make.
requests: - methods: GET/POST #Others can be implemented according to requirement.
This is the most important part of the template, if we want to execute our nuclei templates, it must have a placeholder from where it can take our provided URLs or host name, this is where "path" comes into existance.
It is included in between "{{" and "}}"
There can be two ways to implement the same, we can either give {{BaseURL}} or {{Hostname}} .
path: "{{BaseURL}}/.git/config"
#We can also curate the path according to our desired requirement.
For example, If we give a URL like https://hacktify.in then it will make a request to https://hacktify.in/.git/config.
Sometime when we request an URL it may redirect us to a different URL or a different host. Will this behaviour must be allowed by the nuclei scanner? This redirects tag specify this if we want to redirect or not. This can be done with a true and false statement.
redirects: true
We can also use max-redirects option to give maximum limit of redirection inside our templates
max-redirects: 5 #There will be 5 max redirects if we specify this option
Awesome! Let's sum up everything so far and see how our template looks.
info:
name: Simple Login Form
author: hacktifycs
description: A simple login setup.
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/login.php"
redirects: true
max-redirects: 3