+
+Requests contains the http request to make in the template.
+
+
+
+Examples:
+
+
+```yaml
+requests:
+ matchers:
+ - type: word
+ words:
+ - '[core]'
+ - type: dsl
+ condition: and
+ dsl:
+ - '!contains(tolower(body), ''
+
+
+
+
+
+
+DNS contains the dns request to make in the template
+
+
+
+Examples:
+
+
+```yaml
+dns:
+ extractors:
+ - type: regex
+ regex:
+ - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
+ - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
+ name: '{{FQDN}}'
+ type: CNAME
+ class: inet
+ retries: 2
+ recursion: true
+```
+
+
+
+
+
+
+
+
+
+File contains the file request to make in the template
+
+
+
+Examples:
+
+
+```yaml
+file:
+ extractors:
+ - type: regex
+ regex:
+ - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
+ extensions:
+ - all
+```
+
+
+
+
+
+
+
+
+
+Network contains the network request to make in the template
+
+
+
+Examples:
+
+
+```yaml
+network:
+ host:
+ - '{{Hostname}}'
+ - '{{Hostname}}:2181'
+ inputs:
+ - data: "envi\r\nquit\r\n"
+ read-size: 2048
+ matchers:
+ - type: word
+ words:
+ - zookeeper.version
+```
+
+
+
+
+
+
+
+
+
+Headless contains the headless request to make in the template.
+
+
+
+
+
+
+
+
+Workflows is a list of workflows to execute for a template.
+
+
+
+
+
+
+
+
+
+## model.Info
+Info contains metadata information about a template
+
+Appears in:
+
+
+- Template.info
+
+
+```yaml
+name: Argument Injection in Ruby Dragonfly
+author: 0xspara
+tags: cve,cve2021,rce,ruby
+reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
+severity: high
+```
+
+
+
+
+
+name string
+
+
+
+
+Name should be good short summary that identifies what the template does.
+
+
+
+Examples:
+
+
+```yaml
+name: bower.json file disclosure
+```
+
+```yaml
+name: Nagios Default Credentials Check
+```
+
+
+
+
+
+
+
+
+author StringSlice
+
+
+
+
+Author of the template.
+
+Multiple values can also be specified separated by commas.
+
+
+
+Examples:
+
+
+```yaml
+author:
+```
+
+
+
+
+
+
+
+
+tags StringSlice
+
+
+
+
+Any tags for the template.
+
+Multiple values can also be specified separated by commas.
+
+
+
+Examples:
+
+
+```yaml
+# Example tags
+tags: cve,cve2019,grafana,auth-bypass,dos
+```
+
+
+
+
+
+
+
+
+description string
+
+
+
+
+Description of the template.
+
+You can go in-depth here on what the template actually does.
+
+
+
+Examples:
+
+
+```yaml
+description: Bower is a package manager which stores packages informations in bower.json file
+```
+
+```yaml
+description: Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations
+```
+
+
+
+
+
+
+
+
+reference StringSlice
+
+
+
+
+References for the template.
+
+This should contain links relevant to the template.
+
+
+
+Examples:
+
+
+```yaml
+reference:
+ - https://github.com/strapi/strapi
+ - https://github.com/getgrav/grav
+```
+
+
+
+
+
+
+
+
+
+Severity of the template.
+
+
+Valid values:
+
+
+ - info
+
+ - low
+
+ - medium
+
+ - high
+
+ - critical
+
+
+
+
+
+
+additional-fields map[string]string
+
+
+
+
+AdditionalFields regarding metadata of the template.
+
+
+
+Examples:
+
+
+```yaml
+additional-fields:
+ customField1: customValue1
+```
+
+
+
+
+
+
+
+
+
+
+## model.StringSlice
+
+Appears in:
+
+
+- workflows.WorkflowTemplate.tags
+
+
+
+
+
+## severity.SeverityHolder
+
+Appears in:
+
+
+- model.Info.severity
+
+
+
+
+
+## http.Request
+Request contains a http request to be made from a template
+
+Appears in:
+
+
+- Template.requests
+
+
+```yaml
+matchers:
+ - type: word
+ words:
+ - '[core]'
+ - type: dsl
+ condition: and
+ dsl:
+ - '!contains(tolower(body), ''
+
+
+
+
+Matchers contains the detection mechanism for the request to identify
+whether the request was successful by doing pattern matching
+on request/responses.
+
+Multiple matchers can be combined together with `matcher-condition` flag
+which accepts either `and` or `or` as argument.
+
+
+
+
+
+
+
+
+Extractors contains the extraction mechanism for the request to identify
+and extract parts of the response.
+
+
+
+
+
+
+
+matchers-condition string
+
+
+
+
+MatchersCondition is the condition between the matchers. Default is OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+path []string
+
+
+
+
+Path contains the path/s for the HTTP requests. It supports variables
+as placeholders.
+
+
+
+Examples:
+
+
+```yaml
+# Some example path values
+path:
+ - '{{BaseURL}}'
+ - '{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions'
+```
+
+
+
+
+
+
+
+
+raw []string
+
+
+
+
+Raw contains HTTP Requests in Raw format.
+
+
+
+Examples:
+
+
+```yaml
+# Some example raw requests
+raw:
+ - |-
+ GET /etc/passwd HTTP/1.1
+ Host:
+ Content-Length: 4
+ - |-
+ POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+ Content-Length: 1
+ Connection: close
+
+ echo
+ echo
+ cat /etc/passwd 2>&1
+```
+
+
+
+
+
+
+
+
+id string
+
+
+
+
+ID is the the optional id of the request
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name is the optional name of the request.
+
+If a name is specified, all the named request in a template can be matched upon
+in a combined manner allowing multirequest based matchers.
+
+
+
+
+
+
+
+attack string
+
+
+
+
+Attack is the type of payload combinations to perform.
+
+Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates
+permutations and combinations for all payloads.
+
+
+Valid values:
+
+
+ - sniper
+
+ - pitchfork
+
+ - clusterbomb
+
+
+
+
+
+
+method string
+
+
+
+
+Method is the HTTP Request Method.
+
+
+Valid values:
+
+
+ - GET
+
+ - HEAD
+
+ - POST
+
+ - PUT
+
+ - DELETE
+
+ - CONNECT
+
+ - OPTIONS
+
+ - TRACE
+
+ - PATCH
+
+
+
+
+
+
+body string
+
+
+
+
+Body is an optional parameter which contains HTTP Request body.
+
+
+
+Examples:
+
+
+```yaml
+# Same Body for a Login POST request
+body: username=test&password=test
+```
+
+
+
+
+
+
+
+
+payloads map[string]interface{}
+
+
+
+
+Payloads contains any payloads for the current request.
+
+Payloads support both key-values combinations where a list
+of payloads is provided, or optionally a single file can also
+be provided as payload which will be read on run-time.
+
+
+
+
+
+
+
+headers map[string]string
+
+
+
+
+Headers contains HTTP Headers to send with the request.
+
+
+
+Examples:
+
+
+```yaml
+headers:
+ Any-Header: Any-Value
+ Content-Length: "1"
+ Content-Type: application/x-www-form-urlencoded
+```
+
+
+
+
+
+
+
+
+race_count int
+
+
+
+
+RaceCount is the number of times to send a request in Race Condition Attack.
+
+
+
+Examples:
+
+
+```yaml
+# Send a request 5 times
+race_count: 5
+```
+
+
+
+
+
+
+
+
+max-redirects int
+
+
+
+
+MaxRedirects is the maximum number of redirects that should be followed.
+
+
+
+Examples:
+
+
+```yaml
+# Follow upto 5 redirects
+max-redirects: 5
+```
+
+
+
+
+
+
+
+
+pipeline-concurrent-connections int
+
+
+
+
+PipelineConcurrentConnections is number of connections to create during pipelining.
+
+
+
+Examples:
+
+
+```yaml
+# Create 40 concurrent connections
+pipeline-concurrent-connections: 40
+```
+
+
+
+
+
+
+
+
+pipeline-requests-per-connection int
+
+
+
+
+PipelineRequestsPerConnection is number of requests to send per connection when pipelining.
+
+
+
+Examples:
+
+
+```yaml
+# Send 100 requests per pipeline connection
+pipeline-requests-per-connection: 100
+```
+
+
+
+
+
+
+
+
+threads int
+
+
+
+
+Threads specifies number of threads to use sending requests. This enables Connection Pooling.
+
+Connection: Close attribute must not be used in request while using threads flag, otherwise
+pooling will fail and engine will continue to close connections after requests.
+
+
+
+Examples:
+
+
+```yaml
+# Send requests using 10 concurrent threads
+threads: 10
+```
+
+
+
+
+
+
+
+
+max-size int
+
+
+
+
+MaxSize is the maximum size of http response body to read in bytes.
+
+
+
+Examples:
+
+
+```yaml
+# Read max 2048 bytes of the response
+max-size: 2048
+```
+
+
+
+
+
+
+
+
+cookie-reuse bool
+
+
+
+
+CookieReuse is an optional setting that enables cookie reuse for
+all requests defined in raw section.
+
+
+
+
+
+
+
+redirects bool
+
+
+
+
+Redirects specifies whether redirects should be followed by the HTTP Client.
+
+This can be used in conjunction with `max-redirects` to control the HTTP request redirects.
+
+
+
+
+
+
+
+pipeline bool
+
+
+
+
+Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining
+
+All requests must be indempotent (GET/POST). This can be used for race conditions/billions requests.
+
+
+
+
+
+
+
+unsafe bool
+
+
+
+
+Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests.
+
+This uses the [rawhttp](https://github.com/projectdiscovery/rawhttp) engine to achieve complete
+control over the request, with no normalization performed by the client.
+
+
+
+
+
+
+
+race bool
+
+
+
+
+Race determines if all the request have to be attempted at the same time (Race Condition)
+
+The actual number of requests that will be sent is determined by the `race_count` field.
+
+
+
+
+
+
+
+req-condition bool
+
+
+
+
+ReqCondition automatically assigns numbers to requests and preserves their history.
+
+This allows matching on them later for multi-request conditions.
+
+
+
+
+
+
+
+stop-at-first-match bool
+
+
+
+
+StopAtFirstMatch stops the execution of the requests and template as soon as a match is found.
+
+
+
+
+
+
+
+
+
+## matchers.Matcher
+Matcher is used to match a part in the output from a protocol.
+
+Appears in:
+
+
+- http.Request.matchers
+
+- dns.Request.matchers
+
+- file.Request.matchers
+
+- network.Request.matchers
+
+- headless.Request.matchers
+
+
+
+
+
+
+
+type string
+
+
+
+
+Type is the type of the matcher.
+
+
+Valid values:
+
+
+ - status
+
+ - size
+
+ - word
+
+ - regex
+
+ - binary
+
+ - dsl
+
+
+
+
+
+
+condition string
+
+
+
+
+Condition is the optional condition between two matcher variables. By default,
+the condition is assumed to be OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+part string
+
+
+
+
+Part is the part of the request response to match data from.
+
+Each protocol exposes a lot of different parts which are well
+documented in docs for each request type.
+
+
+
+Examples:
+
+
+```yaml
+part: body
+```
+
+```yaml
+part: raw
+```
+
+
+
+
+
+
+
+
+negative bool
+
+
+
+
+Negative specifies if the match should be reversed
+It will only match if the condition is not true.
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name of the matcher. Name should be lowercase and must not contain
+spaces or underscores (_).
+
+
+
+Examples:
+
+
+```yaml
+name: cookie-matcher
+```
+
+
+
+
+
+
+
+
+status []int
+
+
+
+
+Status are the acceptable status codes for the response.
+
+
+
+Examples:
+
+
+```yaml
+status:
+ - 200
+ - 302
+```
+
+
+
+
+
+
+
+
+size []int
+
+
+
+
+Size is the acceptable size for the response
+
+
+
+Examples:
+
+
+```yaml
+size:
+ - 3029
+ - 2042
+```
+
+
+
+
+
+
+
+
+words []string
+
+
+
+
+Words contains word patterns required to be present in the response part.
+
+
+
+Examples:
+
+
+```yaml
+# Match for outlook mail protection domain
+words:
+ - mail.protection.outlook.com
+```
+
+```yaml
+# Match for application/json in response headers
+words:
+ - application/json
+```
+
+
+
+
+
+
+
+
+regex []string
+
+
+
+
+Regex contains Regular Expression patterns required to be present in the response part.
+
+
+
+Examples:
+
+
+```yaml
+# Match for Linkerd Service via Regex
+regex:
+ - (?mi)^Via\\s*?:.*?linkerd.*$
+```
+
+```yaml
+# Match for Open Redirect via Location header
+regex:
+ - (?m)^(?:Location\\s*?:\\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\\-_\\.@]*)example\\.com.*$
+```
+
+
+
+
+
+
+
+
+binary []string
+
+
+
+
+Binary are the binary patterns required to be present in the response part.
+
+
+
+Examples:
+
+
+```yaml
+# Match for Springboot Heapdump Actuator "JAVA PROFILE", "HPROF", "Gunzip magic byte"
+binary:
+ - 4a4156412050524f46494c45
+ - 4850524f46
+ - 1f8b080000000000
+```
+
+```yaml
+# Match for 7zip files
+binary:
+ - 377ABCAF271C
+```
+
+
+
+
+
+
+
+
+dsl []string
+
+
+
+
+DSL are the dsl expressions that will be evaluated as part of nuclei matching rules.
+A list of these helper functions are available [here](https://nuclei.projectdiscovery.io/templating-guide/helper-functions/).
+
+
+
+Examples:
+
+
+```yaml
+# DSL Matcher for package.json file
+dsl:
+ - contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200
+```
+
+```yaml
+# DSL Matcher for missing strict transport security header
+dsl:
+ - '!contains(tolower(all_headers), ''''strict-transport-security'''')'
+```
+
+
+
+
+
+
+
+
+encoding string
+
+
+
+
+Encoding specifies the encoding for the words field if any.
+
+
+Valid values:
+
+
+ - hex
+
+
+
+
+
+
+
+
+## extractors.Extractor
+Extractor is used to extract part of response using a regex.
+
+Appears in:
+
+
+- http.Request.extractors
+
+- dns.Request.extractors
+
+- file.Request.extractors
+
+- network.Request.extractors
+
+- headless.Request.extractors
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name of the extractor. Name should be lowercase and must not contain
+spaces or underscores (_).
+
+
+
+Examples:
+
+
+```yaml
+name: cookie-extractor
+```
+
+
+
+
+
+
+
+
+type string
+
+
+
+
+Type is the type of the extractor.
+
+
+Valid values:
+
+
+ - regex
+
+ - kval
+
+ - json
+
+ - xpath
+
+
+
+
+
+
+regex []string
+
+
+
+
+Regex contains the regular expression patterns to extract from a part.
+
+Go regex engine does not support lookaheads or lookbehinds, so as a result
+they are also not supported in nuclei.
+
+
+
+Examples:
+
+
+```yaml
+# Braintree Access Token Regex
+regex:
+ - access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}
+```
+
+```yaml
+# Wordpress Author Extraction regex
+regex:
+ - Author:(?:[A-Za-z0-9 -\_="]+)?
+
+group int
+
+
+
+
+Group specifies a numbered group to extract from the regex.
+
+
+
+Examples:
+
+
+```yaml
+# Example Regex Group
+group: 1
+```
+
+
+
+
+
+
+
+
+kval []string
+
+
+
+
+description: |
+ kval contains the key-value pairs present in the HTTP response header.
+ kval extractor can be used to extract HTTP response header and cookie key-value pairs.
+ kval extractor inputs are case insensitive, and does not support dash (-) in input which can replaced with underscores (_)
+ For example, Content-Type should be replaced with content_type
+
+ A list of supported parts is available in docs for request types.
+ examples:
+ - name: Extract Server Header From HTTP Response
+ value: >
+ []string{"server"}
+ - name: Extracting value of PHPSESSID Cookie
+ value: >
+ []string{"phpsessid"}
+ - name: Extracting value of Content-Type Cookie
+ value: >
+ []string{"content_type"}
+
+
+
+
+
+
+
+json []string
+
+
+
+
+JSON allows using jq-style syntax to extract items from json response
+
+
+
+Examples:
+
+
+```yaml
+json:
+ - .[] | .id
+```
+
+```yaml
+json:
+ - .batters | .batter | .[] | .id
+```
+
+
+
+
+
+
+
+
+xpath []string
+
+
+
+
+XPath allows using xpath expressions to extract items from html response
+
+
+
+Examples:
+
+
+```yaml
+xpath:
+ - /html/body/div/p[2]/a
+```
+
+
+
+
+
+
+
+
+attribute string
+
+
+
+
+Attribute is an optional attribute to extract from response XPath.
+
+
+
+Examples:
+
+
+```yaml
+attribute: href
+```
+
+
+
+
+
+
+
+
+part string
+
+
+
+
+Part is the part of the request response to extract data from.
+
+Each protocol exposes a lot of different parts which are well
+documented in docs for each request type.
+
+
+
+Examples:
+
+
+```yaml
+part: body
+```
+
+```yaml
+part: raw
+```
+
+
+
+
+
+
+
+
+internal bool
+
+
+
+
+Internal, when set to true will allow using the value extracted
+in the next request for some protocols (like HTTP).
+
+
+
+
+
+
+
+
+
+## dns.Request
+Request contains a DNS protocol request to be made from a template
+
+Appears in:
+
+
+- Template.dns
+
+
+```yaml
+extractors:
+ - type: regex
+ regex:
+ - ec2-[-\d]+\.compute[-\d]*\.amazonaws\.com
+ - ec2-[-\d]+\.[\w\d\-]+\.compute[-\d]*\.amazonaws\.com
+name: '{{FQDN}}'
+type: CNAME
+class: inet
+retries: 2
+recursion: true
+```
+
+
+
+
+
+
+Matchers contains the detection mechanism for the request to identify
+whether the request was successful by doing pattern matching
+on request/responses.
+
+Multiple matchers can be combined together with `matcher-condition` flag
+which accepts either `and` or `or` as argument.
+
+
+
+
+
+
+
+
+Extractors contains the extraction mechanism for the request to identify
+and extract parts of the response.
+
+
+
+
+
+
+
+matchers-condition string
+
+
+
+
+MatchersCondition is the condition between the matchers. Default is OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+id string
+
+
+
+
+ID is the the optional id of the request
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name is the Hostname to make DNS request for.
+
+Generally, it is set to {{FQDN}} which is the domain we get from input.
+
+
+
+Examples:
+
+
+```yaml
+name: '{{FQDN}}'
+```
+
+
+
+
+
+
+
+
+type string
+
+
+
+
+Type is the type of DNS request to make.
+
+
+Valid values:
+
+
+ - A
+
+ - NS
+
+ - DS
+
+ - CNAME
+
+ - SOA
+
+ - PTR
+
+ - MX
+
+ - TXT
+
+ - AAAA
+
+
+
+
+
+
+class string
+
+
+
+
+Class is the class of the DNS request.
+
+Usually it's enough to just leave it as INET.
+
+
+Valid values:
+
+
+ - inet
+
+ - csnet
+
+ - chaos
+
+ - hesiod
+
+ - none
+
+ - any
+
+
+
+
+
+
+retries int
+
+
+
+
+Retries is the number of retries for the DNS request
+
+
+
+Examples:
+
+
+```yaml
+# Use a retry of 3 to 5 generally
+retries: 5
+```
+
+
+
+
+
+
+
+
+recursion bool
+
+
+
+
+Recursion determines if resolver should recurse all records to get fresh results.
+
+
+
+
+
+
+
+
+
+## file.Request
+Request contains a File matching mechanism for local disk operations.
+
+Appears in:
+
+
+- Template.file
+
+
+```yaml
+extractors:
+ - type: regex
+ regex:
+ - amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
+extensions:
+ - all
+```
+
+
+
+
+
+
+Matchers contains the detection mechanism for the request to identify
+whether the request was successful by doing pattern matching
+on request/responses.
+
+Multiple matchers can be combined together with `matcher-condition` flag
+which accepts either `and` or `or` as argument.
+
+
+
+
+
+
+
+
+Extractors contains the extraction mechanism for the request to identify
+and extract parts of the response.
+
+
+
+
+
+
+
+matchers-condition string
+
+
+
+
+MatchersCondition is the condition between the matchers. Default is OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+extensions []string
+
+
+
+
+Extensions is the list of extensions to perform matching on.
+
+
+
+Examples:
+
+
+```yaml
+extensions:
+ - .txt
+ - .go
+ - .json
+```
+
+
+
+
+
+
+
+
+denylist []string
+
+
+
+
+ExtensionDenylist is the list of file extensions to deny during matching.
+
+By default, it contains some non-interesting extensions that are hardcoded
+in nuclei.
+
+
+
+Examples:
+
+
+```yaml
+denylist:
+ - .avi
+ - .mov
+ - .mp3
+```
+
+
+
+
+
+
+
+
+id string
+
+
+
+
+ID is the the optional id of the request
+
+
+
+
+
+
+
+max-size int
+
+
+
+
+MaxSize is the maximum size of the file to run request on.
+
+By default, nuclei will process 5MB files and not go more than that.
+It can be set to much lower or higher depending on use.
+
+
+
+Examples:
+
+
+```yaml
+max-size: 2048
+```
+
+
+
+
+
+
+
+
+no-recursive bool
+
+
+
+
+NoRecursive specifies whether to not do recursive checks if folders are provided.
+
+
+
+
+
+
+
+
+
+## network.Request
+Request contains a Network protocol request to be made from a template
+
+Appears in:
+
+
+- Template.network
+
+
+```yaml
+host:
+ - '{{Hostname}}'
+ - '{{Hostname}}:2181'
+inputs:
+ - data: "envi\r\nquit\r\n"
+read-size: 2048
+matchers:
+ - type: word
+ words:
+ - zookeeper.version
+```
+
+
+
+
+
+id string
+
+
+
+
+ID is the the optional id of the request
+
+
+
+
+
+
+
+host []string
+
+
+
+
+Host to send network requests to.
+
+Usually it's set to `{{Hostname}}`. If you want to enable TLS for
+TCP Connection, you can use `tls://{{Hostname}}`.
+
+
+
+Examples:
+
+
+```yaml
+host:
+ - '{{Hostname}}'
+```
+
+
+
+
+
+
+
+
+attack string
+
+
+
+
+Attack is the type of payload combinations to perform.
+
+Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates
+permutations and combinations for all payloads.
+
+
+Valid values:
+
+
+ - sniper
+
+ - pitchfork
+
+ - clusterbomb
+
+
+
+
+
+
+payloads map[string]interface{}
+
+
+
+
+Payloads contains any payloads for the current request.
+
+Payloads support both key-values combinations where a list
+of payloads is provided, or optionally a single file can also
+be provided as payload which will be read on run-time.
+
+
+
+
+
+
+
+
+Inputs contains inputs for the network socket
+
+
+
+
+
+
+
+read-size int
+
+
+
+
+ReadSize is the size of response to read at the end
+
+Default value for read-size is 1024.
+
+
+
+Examples:
+
+
+```yaml
+read-size: 2048
+```
+
+
+
+
+
+
+
+
+
+Matchers contains the detection mechanism for the request to identify
+whether the request was successful by doing pattern matching
+on request/responses.
+
+Multiple matchers can be combined together with `matcher-condition` flag
+which accepts either `and` or `or` as argument.
+
+
+
+
+
+
+
+
+Extractors contains the extraction mechanism for the request to identify
+and extract parts of the response.
+
+
+
+
+
+
+
+matchers-condition string
+
+
+
+
+MatchersCondition is the condition between the matchers. Default is OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+
+
+## network.Input
+
+Appears in:
+
+
+- network.Request.inputs
+
+
+
+
+
+
+
+data string
+
+
+
+
+Data is the data to send as the input.
+
+It supports DSL Helper Functions as well as normal expressions.
+
+
+
+Examples:
+
+
+```yaml
+data: TEST
+```
+
+```yaml
+data: hex_decode('50494e47')
+```
+
+
+
+
+
+
+
+
+type string
+
+
+
+
+Type is the type of input specified in `data` field.
+
+Default value is text, but hex can be used for hex formatted data.
+
+
+Valid values:
+
+
+ - hex
+
+ - text
+
+
+
+
+
+
+read int
+
+
+
+
+Read is the number of bytes to read from socket.
+
+This can be used for protcols which expected an immediate response. You can
+read and write responses one after another and evetually perform matching
+on every data captured with `name` attribute.
+
+The [network docs](https://nuclei.projectdiscovery.io/templating-guide/protocols/network/) highlight more on how to do this.
+
+
+
+Examples:
+
+
+```yaml
+read: 1024
+```
+
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name is the optional name of the data read to provide matching on.
+
+
+
+Examples:
+
+
+```yaml
+name: prefix
+```
+
+
+
+
+
+
+
+
+
+
+## headless.Request
+Request contains a Headless protocol request to be made from a template
+
+Appears in:
+
+
+- Template.headless
+
+
+
+
+
+
+
+id string
+
+
+
+
+ID is the the optional id of the request
+
+
+
+
+
+
+
+
+Steps is the list of actions to run for headless request
+
+
+
+
+
+
+
+
+Matchers contains the detection mechanism for the request to identify
+whether the request was successful by doing pattern matching
+on request/responses.
+
+Multiple matchers can be combined together with `matcher-condition` flag
+which accepts either `and` or `or` as argument.
+
+
+
+
+
+
+
+
+Extractors contains the extraction mechanism for the request to identify
+and extract parts of the response.
+
+
+
+
+
+
+
+matchers-condition string
+
+
+
+
+MatchersCondition is the condition between the matchers. Default is OR.
+
+
+Valid values:
+
+
+ - and
+
+ - or
+
+
+
+
+
+
+
+
+## engine.Action
+Action is an action taken by the browser to reach a navigation
+
+ Each step that the browser executes is an action. Most navigations
+ usually start from the ActionLoadURL event, and further navigations
+ are discovered on the found page. We also keep track and only
+ scrape new navigation from pages we haven't crawled yet.
+
+Appears in:
+
+
+- headless.Request.steps
+
+
+
+
+
+
+
+args map[string]string
+
+
+
+
+Args contain arguments for the headless action.
+Per action arguments are described in detail [here](https://nuclei.projectdiscovery.io/templating-guide/protocols/headless/).
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name is the name assigned to the headless action.
+
+This can be used to execute code, for instance in browser
+DOM using script action, and get the result in a variable
+which can be matched upon by nuclei. An Example template [here](https://github.com/projectdiscovery/nuclei-templates/blob/master/headless/prototype-pollution-check.yaml).
+
+
+
+
+
+
+
+description string
+
+
+
+
+Description is the optional description of the headless action
+
+
+
+
+
+
+
+action string
+
+
+
+
+Action is the type of the action to perform.
+
+
+Valid values:
+
+
+ - navigate
+
+ - script
+
+ - click
+
+ - rightclick
+
+ - text
+
+ - screenshot
+
+ - time
+
+ - select
+
+ - files
+
+ - waitload
+
+ - getresource
+
+ - extract
+
+ - setmethod
+
+ - addheader
+
+ - setheader
+
+ - deleteheader
+
+ - setbody
+
+ - waitevent
+
+ - keyboard
+
+ - debug
+
+ - sleep
+
+
+
+
+
+
+
+
+## workflows.WorkflowTemplate
+
+Appears in:
+
+
+- Template.workflows
+
+- workflows.WorkflowTemplate.subtemplates
+
+- workflows.Matcher.subtemplates
+
+
+
+
+
+
+
+template string
+
+
+
+
+Template is a single template or directory to execute as part of workflow.
+
+
+
+Examples:
+
+
+```yaml
+# A single template
+template: dns/worksites-detection.yaml
+```
+
+```yaml
+# A template directory
+template: misconfigurations/aem
+```
+
+
+
+
+
+
+
+
+
+Tags to run templates based on.
+
+
+
+
+
+
+
+
+Matchers perform name based matching to run subtemplates for a workflow.
+
+
+
+
+
+
+
+
+Subtemplates are ran if the `template` field Template matches.
+
+
+
+
+
+
+
+
+
+## workflows.Matcher
+
+Appears in:
+
+
+- workflows.WorkflowTemplate.matchers
+
+
+
+
+
+
+
+name string
+
+
+
+
+Name is the name of the item to match.
+
+
+
+
+
+
+
+
+Subtemplates are ran if the name of matcher matches.
+
+
+
+
+
+
+
+
diff --git a/nuclei-jsonschema.json b/nuclei-jsonschema.json
new file mode 100755
index 000000000..6092a125a
--- /dev/null
+++ b/nuclei-jsonschema.json
@@ -0,0 +1,914 @@
+{
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/templates.Template",
+ "definitions": {
+ "severity.SeverityHolder": {
+ "enum": [
+ "info",
+ "low",
+ "medium",
+ "high",
+ "critical"
+ ],
+ "type": "string",
+ "title": "severity of the template",
+ "description": "Seriousness of the implications of the template"
+ },
+ "model.Info": {
+ "properties": {
+ "name": {
+ "type": "string",
+ "title": "name of the template",
+ "description": "Name is a short summary of what the template does",
+ "examples": [
+ "Nagios Default Credentials Check"
+ ]
+ },
+ "author": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/model.StringSlice",
+ "title": "author of the template",
+ "description": "Author is the author of the template"
+ },
+ "tags": {
+ "$ref": "#/definitions/model.StringSlice",
+ "title": "tags of the template",
+ "description": "Any tags for the template"
+ },
+ "description": {
+ "type": "string",
+ "title": "description of the template",
+ "description": "In-depth explanation on what the template does",
+ "examples": [
+ "Bower is a package manager which stores packages informations in bower.json file"
+ ]
+ },
+ "reference": {
+ "$ref": "#/definitions/model.StringSlice",
+ "title": "references for the template",
+ "description": "Links relevant to the template"
+ },
+ "severity": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/severity.SeverityHolder"
+ },
+ "additional-fields": {
+ "patternProperties": {
+ ".*": {
+ "type": "string"
+ }
+ },
+ "type": "object",
+ "title": "additional metadata for the template",
+ "description": "Additional metadata fields for the template"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "model.StringSlice": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "array"
+ }
+ ]
+ },
+ "extractors.Extractor": {
+ "required": [
+ "type"
+ ],
+ "properties": {
+ "name": {
+ "type": "string",
+ "title": "name of the extractor",
+ "description": "Name of the extractor"
+ },
+ "type": {
+ "enum": [
+ "regex",
+ "kval",
+ "json",
+ "xpath"
+ ],
+ "type": "string",
+ "title": "type of the extractor",
+ "description": "Type of the extractor"
+ },
+ "regex": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "regex to extract from part",
+ "description": "Regex to extract from part"
+ },
+ "group": {
+ "type": "integer",
+ "title": "group to extract from regex",
+ "description": "Group to extract from regex"
+ },
+ "kval": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "kval pairs to extract from response",
+ "description": "Kval pairs to extract from response"
+ },
+ "json": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "json jq expressions to extract data",
+ "description": "JSON JQ expressions to evaluate from response part"
+ },
+ "xpath": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "html xpath expressions to extract data",
+ "description": "XPath allows using xpath expressions to extract items from html response"
+ },
+ "attribute": {
+ "type": "string",
+ "title": "optional attribute to extract from xpath",
+ "description": "Optional attribute to extract from response XPath"
+ },
+ "part": {
+ "type": "string",
+ "title": "part of response to extract data from",
+ "description": "Part of the request response to extract data from"
+ },
+ "internal": {
+ "type": "boolean",
+ "title": "mark extracted value for internal variable use",
+ "description": "Internal when set to true will allow using the value extracted in the next request for some protocols"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "matchers.Matcher": {
+ "required": [
+ "type"
+ ],
+ "properties": {
+ "type": {
+ "enum": [
+ "status",
+ "size",
+ "word",
+ "regex",
+ "dsl"
+ ],
+ "type": "string",
+ "title": "type of matcher",
+ "description": "Type of the matcher"
+ },
+ "condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between matcher variables",
+ "description": "Condition between the matcher variables"
+ },
+ "part": {
+ "type": "string",
+ "title": "part of response to match",
+ "description": "Part of response to match data from"
+ },
+ "negative": {
+ "type": "boolean",
+ "title": "negative specifies if match reversed",
+ "description": "Negative specifies if the match should be reversed. It will only match if the condition is not true"
+ },
+ "name": {
+ "type": "string",
+ "title": "name of the matcher",
+ "description": "Name of the matcher"
+ },
+ "status": {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array",
+ "title": "status to match",
+ "description": "Status to match for the response"
+ },
+ "size": {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array",
+ "title": "acceptable size for response",
+ "description": "Size is the acceptable size for the response"
+ },
+ "words": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "words to match in response",
+ "description": " Words contains word patterns required to be present in the response part"
+ },
+ "regex": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "regex to match in response",
+ "description": "Regex contains regex patterns required to be present in the response part"
+ },
+ "binary": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "binary patterns to match in response",
+ "description": "Binary are the binary patterns required to be present in the response part"
+ },
+ "dsl": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "dsl expressions to match in response",
+ "description": "DSL are the dsl expressions that will be evaluated as part of nuclei matching rules"
+ },
+ "encoding": {
+ "enum": [
+ "hex"
+ ],
+ "type": "string",
+ "title": "encoding for word field",
+ "description": "Optional encoding for the word fields"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "dns.Request": {
+ "properties": {
+ "matchers": {
+ "items": {
+ "$ref": "#/definitions/matchers.Matcher"
+ },
+ "type": "array",
+ "title": "matchers to run on response",
+ "description": "Detection mechanism to identify whether the request was successful by doing pattern matching"
+ },
+ "extractors": {
+ "items": {
+ "$ref": "#/definitions/extractors.Extractor"
+ },
+ "type": "array",
+ "title": "extractors to run on response",
+ "description": "Extractors contains the extraction mechanism for the request to identify and extract parts of the response"
+ },
+ "matchers-condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between the matchers",
+ "description": "Conditions between the matchers"
+ },
+ "id": {
+ "type": "string",
+ "title": "id of the dns request",
+ "description": "ID is the optional ID of the DNS Request"
+ },
+ "name": {
+ "type": "string",
+ "title": "hostname to make dns request for",
+ "description": "Name is the Hostname to make DNS request for"
+ },
+ "type": {
+ "enum": [
+ "A",
+ "NS",
+ "DS",
+ "CNAME",
+ "SOA",
+ "PTR",
+ "MX",
+ "TXT",
+ "AAAA"
+ ],
+ "type": "string",
+ "title": "type of dns request to make",
+ "description": "Type is the type of DNS request to make"
+ },
+ "class": {
+ "enum": [
+ "inet",
+ "csnet",
+ "chaos",
+ "hesiod",
+ "none",
+ "any"
+ ],
+ "type": "string",
+ "title": "class of DNS request",
+ "description": "Class is the class of the DNS request"
+ },
+ "retries": {
+ "type": "integer",
+ "title": "retries for dns request",
+ "description": "Retries is the number of retries for the DNS request"
+ },
+ "recursion": {
+ "type": "boolean",
+ "title": "recurse all servers",
+ "description": "Recursion determines if resolver should recurse all records to get fresh results"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "file.Request": {
+ "properties": {
+ "matchers": {
+ "items": {
+ "$ref": "#/definitions/matchers.Matcher"
+ },
+ "type": "array",
+ "title": "matchers to run on response",
+ "description": "Detection mechanism to identify whether the request was successful by doing pattern matching"
+ },
+ "extractors": {
+ "items": {
+ "$ref": "#/definitions/extractors.Extractor"
+ },
+ "type": "array",
+ "title": "extractors to run on response",
+ "description": "Extractors contains the extraction mechanism for the request to identify and extract parts of the response"
+ },
+ "matchers-condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between the matchers",
+ "description": "Conditions between the matchers"
+ },
+ "extensions": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "extensions to match",
+ "description": "List of extensions to perform matching on"
+ },
+ "denylist": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "extensions to deny match",
+ "description": "List of file extensions to deny during matching"
+ },
+ "id": {
+ "type": "string",
+ "title": "id of the request",
+ "description": "ID is the optional ID for the request"
+ },
+ "max-size": {
+ "type": "integer",
+ "title": "max size data to run request on",
+ "description": "Maximum size of the file to run request on"
+ },
+ "no-recursive": {
+ "type": "boolean",
+ "title": "do not perform recursion",
+ "description": "Specifies whether to not do recursive checks if folders are provided"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "headless.Request": {
+ "properties": {
+ "id": {
+ "type": "string",
+ "title": "id of the request",
+ "description": "Optional ID of the headless request"
+ },
+ "steps": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/engine.Action"
+ },
+ "type": "array",
+ "title": "list of actions for headless request",
+ "description": "List of actions to run for headless request"
+ },
+ "matchers": {
+ "items": {
+ "$ref": "#/definitions/matchers.Matcher"
+ },
+ "type": "array",
+ "title": "matchers to run on response",
+ "description": "Detection mechanism to identify whether the request was successful by doing pattern matching"
+ },
+ "extractors": {
+ "items": {
+ "$ref": "#/definitions/extractors.Extractor"
+ },
+ "type": "array",
+ "title": "extractors to run on response",
+ "description": "Extractors contains the extraction mechanism for the request to identify and extract parts of the response"
+ },
+ "matchers-condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between the matchers",
+ "description": "Conditions between the matchers"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "engine.Action": {
+ "required": [
+ "action"
+ ],
+ "properties": {
+ "args": {
+ "patternProperties": {
+ ".*": {
+ "type": "string"
+ }
+ },
+ "type": "object",
+ "title": "arguments for headless action",
+ "description": "Args contain arguments for the headless action"
+ },
+ "name": {
+ "type": "string",
+ "title": "name for headless action",
+ "description": "Name is the name assigned to the headless action"
+ },
+ "description": {
+ "type": "string",
+ "title": "description for headless action",
+ "description": "Description of the headless action"
+ },
+ "action": {
+ "enum": [
+ "navigate",
+ "script",
+ "click",
+ "rightclick",
+ "text",
+ "screenshot",
+ "time",
+ "select",
+ "files",
+ "waitload",
+ "getresource",
+ "extract",
+ "setmethod",
+ "addheader",
+ "setheader",
+ "deleteheader",
+ "setbody",
+ "waitevent",
+ "keyboard",
+ "debug",
+ "sleep"
+ ],
+ "type": "string",
+ "title": "action to perform",
+ "description": "Type of actions to perform"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "http.Request": {
+ "properties": {
+ "matchers": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/matchers.Matcher"
+ },
+ "type": "array",
+ "title": "matchers to run on response",
+ "description": "Detection mechanism to identify whether the request was successful by doing pattern matching"
+ },
+ "extractors": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/extractors.Extractor"
+ },
+ "type": "array",
+ "title": "extractors to run on response",
+ "description": "Extractors contains the extraction mechanism for the request to identify and extract parts of the response"
+ },
+ "matchers-condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between the matchers",
+ "description": "Conditions between the matchers"
+ },
+ "path": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "path(s) for the http request",
+ "description": "Path(s) to send http requests to"
+ },
+ "raw": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "description": "HTTP Requests in Raw Format"
+ },
+ "id": {
+ "type": "string",
+ "title": "id for the http request",
+ "description": "ID for the HTTP Request"
+ },
+ "name": {
+ "type": "string",
+ "title": "name for the http request",
+ "description": "Optional name for the HTTP Request"
+ },
+ "attack": {
+ "enum": [
+ "sniper",
+ "pitchfork",
+ "clusterbomb"
+ ],
+ "type": "string",
+ "title": "attack is the payload combination",
+ "description": "Attack is the type of payload combinations to perform"
+ },
+ "method": {
+ "enum": [
+ "GET",
+ "HEAD",
+ "POST",
+ "PUT",
+ "DELETE",
+ "CONNECT",
+ "OPTIONS",
+ "TRACE",
+ "PATCH"
+ ],
+ "type": "string",
+ "title": "method is the http request method",
+ "description": "Method is the HTTP Request Method"
+ },
+ "body": {
+ "type": "string",
+ "title": "body is the http request body",
+ "description": "Body is an optional parameter which contains HTTP Request body"
+ },
+ "payloads": {
+ "patternProperties": {
+ ".*": {
+ "additionalProperties": true
+ }
+ },
+ "type": "object",
+ "title": "payloads for the http request",
+ "description": "Payloads contains any payloads for the current request"
+ },
+ "headers": {
+ "patternProperties": {
+ ".*": {
+ "type": "string"
+ }
+ },
+ "type": "object",
+ "title": "headers to send with the http request",
+ "description": "Headers contains HTTP Headers to send with the request"
+ },
+ "race_count": {
+ "type": "integer",
+ "title": "number of times to repeat request in race condition",
+ "description": "Number of times to send a request in Race Condition Attack"
+ },
+ "max-redirects": {
+ "type": "integer",
+ "title": "maximum number of redirects to follow",
+ "description": "Maximum number of redirects that should be followed"
+ },
+ "pipeline-concurrent-connections": {
+ "type": "integer",
+ "title": "number of pipelining connections",
+ "description": "Number of connections to create during pipelining"
+ },
+ "pipeline-requests-per-connection": {
+ "type": "integer",
+ "title": "number of requests to send per pipelining connections",
+ "description": "Number of requests to send per connection when pipelining"
+ },
+ "threads": {
+ "type": "integer",
+ "title": "threads for sending requests",
+ "description": "Threads specifies number of threads to use sending requests. This enables Connection Pooling"
+ },
+ "max-size": {
+ "type": "integer",
+ "title": "maximum http response body size",
+ "description": "Maximum size of http response body to read in bytes"
+ },
+ "cookie-reuse": {
+ "type": "boolean",
+ "title": "optional cookie reuse enable",
+ "description": "Optional setting that enables cookie reuse"
+ },
+ "redirects": {
+ "type": "boolean",
+ "title": "follow http redirects",
+ "description": "Specifies whether redirects should be followed by the HTTP Client"
+ },
+ "pipeline": {
+ "type": "boolean",
+ "title": "perform HTTP 1.1 pipelining",
+ "description": "Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining"
+ },
+ "unsafe": {
+ "type": "boolean",
+ "title": "use rawhttp non-strict-rfc client",
+ "description": "Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests"
+ },
+ "race": {
+ "type": "boolean",
+ "title": "perform race-http request coordination attack",
+ "description": "Race determines if all the request have to be attempted at the same time (Race Condition)"
+ },
+ "req-condition": {
+ "type": "boolean",
+ "title": "preserve request history",
+ "description": "Automatically assigns numbers to requests and preserves their history"
+ },
+ "stop-at-first-match": {
+ "type": "boolean",
+ "title": "stop at first match",
+ "description": "Stop the execution after a match is found"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "network.Input": {
+ "properties": {
+ "data": {
+ "type": "string",
+ "title": "data to send as input",
+ "description": "Data is the data to send as the input"
+ },
+ "type": {
+ "enum": [
+ "hex",
+ "text"
+ ],
+ "type": "string",
+ "title": "type is the type of input data",
+ "description": "Type of input specified in data field"
+ },
+ "read": {
+ "type": "integer",
+ "title": "bytes to read from socket",
+ "description": "Number of bytes to read from socket"
+ },
+ "name": {
+ "type": "string",
+ "title": "optional name for data read",
+ "description": "Optional name of the data read to provide matching on"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "network.Request": {
+ "properties": {
+ "id": {
+ "type": "string",
+ "title": "id of the request",
+ "description": "ID of the network request"
+ },
+ "host": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array",
+ "title": "host to send requests to",
+ "description": "Host to send network requests to"
+ },
+ "attack": {
+ "enum": [
+ "sniper",
+ "pitchfork",
+ "clusterbomb"
+ ],
+ "type": "string",
+ "title": "attack is the payload combination",
+ "description": "Attack is the type of payload combinations to perform"
+ },
+ "payloads": {
+ "patternProperties": {
+ ".*": {
+ "additionalProperties": true
+ }
+ },
+ "type": "object",
+ "title": "payloads for the network request",
+ "description": "Payloads contains any payloads for the current request"
+ },
+ "inputs": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/network.Input"
+ },
+ "type": "array",
+ "title": "inputs for the network request",
+ "description": "Inputs contains any input/output for the current request"
+ },
+ "read-size": {
+ "type": "integer",
+ "title": "size of network response to read",
+ "description": "Size of response to read at the end. Default is 1024 bytes"
+ },
+ "matchers": {
+ "items": {
+ "$ref": "#/definitions/matchers.Matcher"
+ },
+ "type": "array",
+ "title": "matchers to run on response",
+ "description": "Detection mechanism to identify whether the request was successful by doing pattern matching"
+ },
+ "extractors": {
+ "items": {
+ "$ref": "#/definitions/extractors.Extractor"
+ },
+ "type": "array",
+ "title": "extractors to run on response",
+ "description": "Extractors contains the extraction mechanism for the request to identify and extract parts of the response"
+ },
+ "matchers-condition": {
+ "enum": [
+ "and",
+ "or"
+ ],
+ "type": "string",
+ "title": "condition between the matchers",
+ "description": "Conditions between the matchers"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "templates.Template": {
+ "required": [
+ "id",
+ "info"
+ ],
+ "properties": {
+ "id": {
+ "type": "string",
+ "title": "id of the template",
+ "description": "The Unique ID for the template",
+ "examples": [
+ "cve-2021-19520"
+ ]
+ },
+ "info": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/model.Info",
+ "title": "info for the template",
+ "description": "Info contains metadata for the template"
+ },
+ "requests": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/http.Request"
+ },
+ "type": "array",
+ "title": "http requests to make",
+ "description": "HTTP requests to make for the template"
+ },
+ "dns": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/dns.Request"
+ },
+ "type": "array",
+ "title": "dns requests to make",
+ "description": "DNS requests to make for the template"
+ },
+ "file": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/file.Request"
+ },
+ "type": "array",
+ "title": "file requests to make",
+ "description": "File requests to make for the template"
+ },
+ "network": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/network.Request"
+ },
+ "type": "array",
+ "title": "network requests to make",
+ "description": "Network requests to make for the template"
+ },
+ "headless": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/headless.Request"
+ },
+ "type": "array",
+ "title": "headless requests to make",
+ "description": "Headless requests to make for the template"
+ },
+ "workflows": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/workflows.WorkflowTemplate"
+ },
+ "type": "array",
+ "title": "list of workflows to execute",
+ "description": "List of workflows to execute for template"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "workflows.Matcher": {
+ "properties": {
+ "name": {
+ "type": "string",
+ "title": "name of item to match",
+ "description": "Name of item to match"
+ },
+ "subtemplates": {
+ "items": {
+ "$ref": "#/definitions/workflows.WorkflowTemplate"
+ },
+ "type": "array",
+ "title": "templates to run after match",
+ "description": "Templates to run after match"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
+ "workflows.WorkflowTemplate": {
+ "properties": {
+ "template": {
+ "type": "string",
+ "title": "template/directory to execute",
+ "description": "Template or directory to execute as part of workflow"
+ },
+ "tags": {
+ "$ref": "#/definitions/model.StringSlice",
+ "title": "tags to execute",
+ "description": "Tags to run template based on"
+ },
+ "matchers": {
+ "items": {
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/workflows.Matcher"
+ },
+ "type": "array",
+ "title": "name based template result matchers",
+ "description": "Matchers perform name based matching to run subtemplates for a workflow"
+ },
+ "subtemplates": {
+ "items": {
+ "$ref": "#/definitions/workflows.WorkflowTemplate"
+ },
+ "type": "array",
+ "title": "subtemplate based result matchers",
+ "description": "Subtemplates are ran if the template field Template matches"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ }
+ }
+}
diff --git a/v2/.goreleaser.yml b/v2/.goreleaser.yml
index e97cfc12a..8ae96e831 100644
--- a/v2/.goreleaser.yml
+++ b/v2/.goreleaser.yml
@@ -20,6 +20,8 @@ builds:
goarch: '386'
- goos: windows
goarch: 'arm'
+ - goos: windows
+ goarch: 'arm64'
binary: '{{ .ProjectName }}'
main: cmd/nuclei/main.go
@@ -30,4 +32,4 @@ archives:
darwin: macOS
checksum:
- algorithm: sha256
\ No newline at end of file
+ algorithm: sha256
diff --git a/v2/pkg/catalog/config/config.go b/v2/pkg/catalog/config/config.go
index f9d2e412f..8e7ca51ef 100644
--- a/v2/pkg/catalog/config/config.go
+++ b/v2/pkg/catalog/config/config.go
@@ -28,7 +28,7 @@ type Config struct {
const nucleiConfigFilename = ".templates-config.json"
// Version is the current version of nuclei
-const Version = `2.5.0`
+const Version = `2.5.1-dev`
func getConfigDetails() (string, error) {
homeDir, err := os.UserHomeDir()
diff --git a/v2/pkg/templates/templates.go b/v2/pkg/templates/templates.go
index 3194425c7..b6f2491ac 100644
--- a/v2/pkg/templates/templates.go
+++ b/v2/pkg/templates/templates.go
@@ -16,8 +16,7 @@ import (
// other metadata for a template.
type Template struct {
// description: |
- // ID is the unique id for the template. IDs must be lowercase
- // and must not contain spaces in it.
+ // ID is the unique id for the template.
//
// #### Good IDs
//
@@ -27,7 +26,7 @@ type Template struct {
// example name is `azure-apps-nxdomain-takeover`.
// examples:
// - name: ID Example
- // value: "\"cve-2021-19520\""
+ // value: "\"CVE-2021-19520\""
ID string `yaml:"id" jsonschema:"title=id of the template,description=The Unique ID for the template,example=cve-2021-19520"`
// description: |
// Info contains metadata information about the template.
diff --git a/v2/pkg/templates/templates_doc.go b/v2/pkg/templates/templates_doc.go
index 5e65c59e5..1a715176d 100644
--- a/v2/pkg/templates/templates_doc.go
+++ b/v2/pkg/templates/templates_doc.go
@@ -34,10 +34,10 @@ func init() {
TemplateDoc.Fields[0].Name = "id"
TemplateDoc.Fields[0].Type = "string"
TemplateDoc.Fields[0].Note = ""
- TemplateDoc.Fields[0].Description = "ID is the unique id for the template. IDs must be lowercase\nand must not contain spaces in it.\n\n#### Good IDs\n\nA good ID uniquely identifies what the requests in the template\nare doing. Let's say you have a template that identifies a git-config\nfile on the webservers, a good name would be `git-config-exposure`. Another\nexample name is `azure-apps-nxdomain-takeover`."
- TemplateDoc.Fields[0].Comments[encoder.LineComment] = "ID is the unique id for the template. IDs must be lowercase"
+ TemplateDoc.Fields[0].Description = "ID is the unique id for the template.\n\n#### Good IDs\n\nA good ID uniquely identifies what the requests in the template\nare doing. Let's say you have a template that identifies a git-config\nfile on the webservers, a good name would be `git-config-exposure`. Another\nexample name is `azure-apps-nxdomain-takeover`."
+ TemplateDoc.Fields[0].Comments[encoder.LineComment] = "ID is the unique id for the template."
- TemplateDoc.Fields[0].AddExample("ID Example", "cve-2021-19520")
+ TemplateDoc.Fields[0].AddExample("ID Example", "CVE-2021-19520")
TemplateDoc.Fields[1].Name = "info"
TemplateDoc.Fields[1].Type = "model.Info"
TemplateDoc.Fields[1].Note = ""