Review details on using AI to help generate Nuclei templates
Nuclei Template Editor has AI to generate templates for vulnerability reports. This document helps to guide you through the process, offering you usage tips and examples.
Powered by public Nuclei templates and a rich CVE data set, the AI understands a broad array of security vulnerabilities. First, the system interprets the user’s prompt to identify a specific vulnerability. Then, it generates a template based on the steps required to reproduce the vulnerability along with all the necessary meta information to reproduce and remediate.
Kick start your AI Assistance experience with these steps:
The following examples demonstrate different vulnerabilities and the corresponding Prompt.
Vulnerability: Open Redirect
Open redirect vulnerability identified in a web application. Here’s the PoC:
HTTP Request:
HTTP Response:
The application redirects the user to the URL specified in the url parameter, leading to an open redirect vulnerability.
Vulnerability: SQL Injection
SQL Injection vulnerability in a login form. Here’s the PoC:
HTTP Request:
HTTP Response:
The application improperly handles user input in the password field, leading to an SQL Injection vulnerability.
Vulnerability: Business logic (negative cart balance)
Business Logic vulnerability in a web application’s shopping cart function allows for negative quantities, leading to credit. Here’s the PoC:
HTTP Request:
HTTP Response:
The application fails to validate the quantity parameter, resulting in a Business Logic vulnerability.
Vulnerability: Server-side Template Injection (SSTI)
Server-side Template Injection (SSTI) vulnerability through a web application’s custom greeting card function. Here’s the PoC:
The application processes the message parameter as a template, leading to an SSTI vulnerability.
Vulnerability: Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR) vulnerability discovered in a website’s user profile page. Here’s the PoC:
The application exposes sensitive information of a user (ID: 2) who is not the authenticated user (session: abcd1234), leading to an IDOR vulnerability.
Vulnerability: Path Traversal
Path Traversal vulnerability identified in a web application’s file download function. Here’s the PoC:
The application fetches the file specified in the file parameter from the server file system, leading to a Path Traversal vulnerability.
Vulnerability: Business logic (extend VIP subscription)
Business logic vulnerability in a web application’s VIP subscription function allows users to extend the trial period indefinitely. Here’s the PoC:
The application does not limit the number of times the trial period can be extended, leading to a business logic vulnerability.
Each of these examples provides HTTP Requests and Responses to illustrate the vulnerabilities.
Please note that the current AI is trained primarily on HTTP data. Template generation for non-HTTP protocols is not supported at this time. Support for additional protocols is under development and will be available soon.
Review details on using AI to help generate Nuclei templates
Nuclei Template Editor has AI to generate templates for vulnerability reports. This document helps to guide you through the process, offering you usage tips and examples.
Powered by public Nuclei templates and a rich CVE data set, the AI understands a broad array of security vulnerabilities. First, the system interprets the user’s prompt to identify a specific vulnerability. Then, it generates a template based on the steps required to reproduce the vulnerability along with all the necessary meta information to reproduce and remediate.
Kick start your AI Assistance experience with these steps:
The following examples demonstrate different vulnerabilities and the corresponding Prompt.
Vulnerability: Open Redirect
Open redirect vulnerability identified in a web application. Here’s the PoC:
HTTP Request:
HTTP Response:
The application redirects the user to the URL specified in the url parameter, leading to an open redirect vulnerability.
Vulnerability: SQL Injection
SQL Injection vulnerability in a login form. Here’s the PoC:
HTTP Request:
HTTP Response:
The application improperly handles user input in the password field, leading to an SQL Injection vulnerability.
Vulnerability: Business logic (negative cart balance)
Business Logic vulnerability in a web application’s shopping cart function allows for negative quantities, leading to credit. Here’s the PoC:
HTTP Request:
HTTP Response:
The application fails to validate the quantity parameter, resulting in a Business Logic vulnerability.
Vulnerability: Server-side Template Injection (SSTI)
Server-side Template Injection (SSTI) vulnerability through a web application’s custom greeting card function. Here’s the PoC:
The application processes the message parameter as a template, leading to an SSTI vulnerability.
Vulnerability: Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference (IDOR) vulnerability discovered in a website’s user profile page. Here’s the PoC:
The application exposes sensitive information of a user (ID: 2) who is not the authenticated user (session: abcd1234), leading to an IDOR vulnerability.
Vulnerability: Path Traversal
Path Traversal vulnerability identified in a web application’s file download function. Here’s the PoC:
The application fetches the file specified in the file parameter from the server file system, leading to a Path Traversal vulnerability.
Vulnerability: Business logic (extend VIP subscription)
Business logic vulnerability in a web application’s VIP subscription function allows users to extend the trial period indefinitely. Here’s the PoC:
The application does not limit the number of times the trial period can be extended, leading to a business logic vulnerability.
Each of these examples provides HTTP Requests and Responses to illustrate the vulnerabilities.
Please note that the current AI is trained primarily on HTTP data. Template generation for non-HTTP protocols is not supported at this time. Support for additional protocols is under development and will be available soon.