Learn about the template flow engine in Nuclei v3
flow: http(1) && http(2)
and nuclei will take care of everything else.
subject_cn
(CN) from the certificatesubject_an
(SAN) from the certificatessl()
: This function executes the SSL request.template["ssl_domains"]
: Retrieves the value of ssl_domains
from the template context.iterate()
: Helper function that iterates over any value type while handling empty or null values.set("vhost", vhost)
: Creates a new variable vhost
in the template and assigns the vhost
variable’s value to it.http()
: This function conducts the HTTP request.flow
, you can redefine the way you orchestrate request executions, making your templates much more powerful and efficient.
Here is working template for vhost enumeration using flow:
protocol_name()
format. For example, you can use http()
, dns()
, ssl()
, etc.
If you want to execute a specific request of a protocol (refer to nuclei-flow-dns for an example), it can be achieved by passing either:
dns(1)
, dns(2)
)dns("extract-vps")
, http("probe-http")
)dns("extract-vps","1")
)
set()
helper function. When invoked/called it adds given variable to template context (global variables) and that value is used during execution of request/protocol. the format of set()
is set("variable_name",value)
ex: set("username","admin")
.
set("vhost", vhost)
which added vhost
to template context (global variables) and then called http(1)
which used this value in request.
set()
etc). This template context is available in javascript as template
variable and can be used to access any data from it. ex: template["dns_cname"]
, template["ssl_subject_cn"]
etc.
log()
function
console.log
and this pretty prints map data in readable format
Note: This should be used for debugging purposed only as this prints data to stdout
ssl_subject_cn
and ssl_subject_an
and this can be achieved by using dedupe()
object. This is nuclei js helper function to abstract away boilerplate code of removing duplicates from array/slice
Similar to DSL helper functions . we can either use built in functions available with Javscript (ECMAScript 5.1)
or use DSL helper functions and its upto user to decide which one to uses.
CVE-2023-43177
which has multiple requests/protocols and uses flow
for logic, used to only return one result but it conflicted with logic when for
loop was used in flow
to fix this nuclei engine from v3.1.4 will print all events/results in a template and template writers can use internal: true
in matchers to skip printing of events/results just like dynamic extractors.
Note: this is only relevant if matchers/extractors are used in previous requests/protocols
Example of CVE-2023-6553
with new internal: true
logic would be