Nuclei Automation: Deep-dive into Templates & DevSecOps Workflows

One of our favourite tools for dynamic security testing (DAST) is Nuclei by Project Discovery. It's one of the most lightweight, easy-to-use vulnerability scanners, but it's also got one unique feature that sets it apart from most other scan tools: templates.

‍

If you want to learn the basics of what Nuclei templates are and why they're so useful, check out this article.

‍

But in a nutshell, templates are YAML-based files which act as instructions that tell Nuclei what vulnerabilities to look for.

Most scanners maintain a vulnerability database, so when they perform a scan, they cross-reference their findings with the database to see if they found a vulnerability. This leads to far more false positives in the results, since the scanner is doing a 'broad sweep' for a large number of vulnerabilities.

‍

Templates, however, let Nuclei target and find specific vulnerabilities in the software. This allows Nuclei to avoid the unnecessary load of false positives that you'd normally get from other tools.

Let's take a deep-dive into templates, workflows, and how Nuclei scans applications.

‍

How Nuclei works: Deep-dive into templates

‍

A typical Nuclei template consists of 5 parts or sections. Let's take the example of this template, which is designed to find email disclosure vulnerabilities.

1. ID: Each template has a unique ID which is to specify the template name during the output.
2. Information: This section contains the name, author, severity, and description, of the template. It may also include reference and tags that offer more info on the function of the template.
3. Request: An HTTP request made by using the base components of a URL to the host server in order to access a resource.
4. Extractors: Extractors are used to extract and display matches from the response in the results.
5. Matchers: Matchers allow you to specify different types of comparisons on protocol responses.

‍

Nuclei interprets the template as a set of instructions that tell it what kind of vulnerabilities it needs to identify.

‍

What makes Nuclei endlessly customisable is the fact that you can write your own templates to suit your specific use case. You can even choose from a massive selection of templates created by Project Discovery themselves, or templates made by the community.

‍

This is what a Nuclei workflow looks like

‍

If you thought it would be too slow to look for individual vulnerabilities with Nuclei templates, don't worry!

‍

You can feed multiple templates into the Nuclei engine, each of which can identify a different vulnerability. First, the Nuclei engine runs the scan on the target application. It then generates results in two simple forms: 'Yes' if the vulnerability is found, and 'No' if it's not found.

‍

Pretty simple right?

‍

But there's more: Nuclei can be automated for DevSecOps. That means you can scale up your vulnerability scanning even on an enterprise workflow.

BTW, check out our full course on how to use and automate Nuclei. 

‍

DevSecOps workflow with Nuclei

In this example, we have 'N' number of releases of the application. After each new release, we can run the entire suite of Nuclei templates on that release.

If the scan finds any of the vulnerabilities specified in the templates, the release is denied.

‍

Learn to automate DAST scans with Nuclei

‍

Automating your Nuclei scans is the next step to take your dynamic testing (DAST) to the next level. As you just saw, Nuclei scans can even be part of your CI/CD pipeline for DevSecOps.

‍

We've got 10 courses in DevSecOps, including one on Nuclei automation:

• Learn the basics of Nuclei
• Operate Nuclei with hands-on labs
• Create real-world Nuclei workflows for DevSecOps
• Build your own vulnerability suites

‍

Learn more about the course here.

‍

Ready to give it a go? Pick your AppSecEngineer plan now and start learning!

‍