nuclei-template.yaml

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID is the optional ID of the Request

Engine

PreCondition is a condition which is evaluated before sending the request

Args

Pattern

Source snippet

Working directory

Image

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID is the optional ID of the DNS Request

Name is the Hostname to make DNS request for

Type is the type of DNS request to make

Class is the class of the DNS request

Retries is the number of retries for the DNS request

Trace performs a trace operation for the target.

TraceMaxRecursion is the number of max recursion allowed for trace operations

Type of the attack

Payloads contains any payloads for the current request

Threads specifies number of threads to use sending requests. This enables Connection Pooling

Recursion determines if resolver should recurse all records to get fresh results

Define resolvers to use within the template

Type of actions to perform

Args contain arguments for the headless action

Name is the name assigned to the headless action

Description of the headless action

Type of the extractor

Name of the extractor

Regex to extract from part

Group to extract from regex

Kval pairs to extract from response

JSON JQ expressions to evaluate from response part

XPath allows using xpath expressions to extract items from html response

Optional attribute to extract from response XPath

Optional attribute to extract from response dsl

Part of the request response to extract data from

Internal when set to true will allow using the value extracted in the next request for some protocols

use case insensitive extract

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

List of extensions to perform matching on

List of files

ID is the optional ID for the request

Maximum size of the file to run request on

Process compressed archives without unpacking

Filter files by mime-type

Specifies whether to not do recursive checks if folders are provided

Type of fuzzing rule to perform

Part of request rule to fuzz

Part of request rule to fuzz

Mode of request rule to fuzz

Keys of parameters to fuzz

Regex of parameter keys to fuzz

Regex of parameter values to fuzz

Payloads to perform fuzzing substitutions with.

Regex for regex-replace rule type

Optional ID of the headless request

Type of the attack

Payloads contains any payloads for the current request

List of actions to run for headless request

userAgent for the headless http request

Custom user agent for the headless request

Stop the execution after a match is found

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

Fuzzing describes rule schema to fuzz headless requests

Optional setting that enables cookie reuse

Optional setting that disables cookie reuse

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

Path(s) to send http requests to

HTTP Requests in Raw Format

ID for the HTTP Request

Optional name for the HTTP Request

Type of the attack

Method is the HTTP Request Method

Body is an optional parameter which contains HTTP Request body

Payloads contains any payloads for the current request

Headers contains HTTP Headers to send with the request

Number of times to send a request in Race Condition Attack

Maximum number of redirects that should be followed

Number of connections to create during pipelining

Number of requests to send per connection when pipelining

Threads specifies number of threads to use sending requests. This enables Connection Pooling

Maximum size of http response body to read in bytes

Fuzzing describes rule schema to fuzz http requests

Type of the signature

Skips the authentication or authorization configured in the secret file

Optional setting that enables cookie reuse

Optional setting that disables cookie reuse

Enables force reading of entire unsafe http request body

Specifies whether redirects should be followed by the HTTP Client

Specifies whether redirects to the same host should be followed by the HTTP Client

Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining

Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests

Race determines if all the request have to be attempted at the same time (Race Condition)

Automatically assigns numbers to requests and preserves their history

Stop the execution after a match is found

Skips the check for unresolved variables in request

Iterates all the values extracted from internal extractors

Optional parameter which specifies the username for digest auth

Optional parameter which specifies the password for digest auth

Disable merging target url path with raw request path

PreCondition is matcher-like field to check if fuzzing should be performed on this request or not

Operator to use between multiple per-conditions

marks matchers as static and applies globally to all result events from other templates

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID is the optional ID of the Request

Init is the javascript code to execute after compiling template

PreCondition is a condition which is evaluated before sending the request

Executes inline javascript code for the request

Stop the execution after a match is found

Type of the attack

Threads specifies number of threads to use sending requests. This enables Connection Pooling

Payloads contains any payloads for the current request

Type of the matcher

Condition between the matcher variables

Part of response to match data from

Negative specifies if the match should be reversed. It will only match if the condition is not true

Name of the matcher

Status to match for the response

Size is the acceptable size for the response

Words contains word patterns required to be present in the response part

Regex contains regex patterns required to be present in the response part

Binary are the binary patterns required to be present in the response part

DSL are the dsl expressions that will be evaluated as part of nuclei matching rules

xpath are the XPath queries that will be evaluated against the response part of nuclei matching rules

Optional encoding for the word fields

use case insensitive match

match all matcher values ignoring condition

hide matcher from output

CVSS Metrics for the template

CVSS Score for the template

EPSS Score for the template

EPSS Percentile for the template

CPE for the template

Name is a short summary of what the template does

In-depth explanation on what the template does

In-depth explanation on the impact of the issue found by the template

Seriousness of the implications of the template

Additional metadata fields for the template

In-depth explanation on how to fix the issues found by the template

Data is the data to send as the input

description=Type of input specified in data field

Number of bytes to read from socket

Optional name of the data read to provide matching on

ID of the network request

Host to send network requests to

Type of the attack

Payloads contains any payloads for the current request

Threads specifies number of threads to use sending requests. This enables Connection Pooling

Inputs contains any input/output for the current request

Port to send network requests to

Exclude ports from being scanned

Size of response to read at the end. Default is 1024 bytes

Read all response stream till the server stops sending

Stop the execution after a match is found

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID of the request

Address contains address for the request

Minimum tls version - automatic if not specified.

Max tls version - automatic if not specified.

Scan Mode - auto if not specified.

Enumerate Version - false if not specified

Enumerate Ciphers - false if not specified

TLS Cipher Types to enumerate

The Unique ID for the template

Flow contains js code which defines how the template should be executed

HTTP requests to make for the template

HTTP requests to make for the template

DNS requests to make for the template

File requests to make for the template

Network requests to make for the template

Network requests to make for the template

Headless requests to make for the template

SSL requests to make for the template

Websocket requests to make for the template

WHOIS requests to make for the template

Code snippets

Javascript requests to make for the template

List of workflows to execute for template

Mark Requests for the template as self-contained

Stop at first match for the template

Type of the signature

Additional variables for the request

constants contains any constant for the template

Data is the data to send as the input

Optional name of the data read to provide matching on

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID of the network request

Address contains address for the request

Inputs contains any input/output for the current request

Headers contains headers for the request

Type of the attack

Payloads contains any payloads for the current request

Detection mechanism to identify whether the request was successful by doing pattern matching

Extractors contains the extraction mechanism for the request to identify and extract parts of the response

Conditions between the matchers

ID of the network request

Query contains query for the request

Server contains the server url to execute the WHOIS request on

Condition between the names

Templates to run after match

Template or directory to execute as part of workflow

Matchers perform name based matching to run subtemplates for a workflow

Subtemplates are ran if the template field Template matches