Nuclei Templates use a custom YAML-based DSL, with their structure varying according to the specific protocol employed. Typically, a template comprises the following elements:
- A unique ID for the template
- Essential information and metadata relevant to the template
- The designated protocol, such as HTTP, DNS, File, etc.
- Details specific to the chosen protocol, like the requests made in the HTTP protocol
- A series of matchers to ascertain the presence of findings
- Necessary extractors for data retrieval from the results
For a detailed, automatically generated overview of everything available in the nuclei template syntax, you can visit the syntax reference on GitHub
Each template has a unique ID which is used during output writing to specify the template name for an output line.
The template file ends with YAML extension. The template files can be created any text editor of your choice.
ID must not contain spaces. This is done to allow easier output parsing.
Next important piece of information about a template is the info block. Info block provides name, author, severity, description, reference, tags and
metadata. It also contains severity field which indicates the severity of the template, info block also supports dynamic fields, so one can define N number of
key: value blocks to provide more useful information about the template. reference is another popular tag to define external reference links for the template.
Another useful tag to always add in
info block is tags. This allows you to set some custom tags to a template, depending on the purpose like
rce etc. This allows nuclei to identify templates with your input tags and only run them.
Example of an info block -
info: name: Git Config File Detection Template author: Ice3man severity: medium description: Searches for the pattern /.git/config on passed URLs. reference: https://www.acunetix.com/vulnerabilities/web/git-repository-found/ tags: git,config
Actual requests and corresponding matchers are placed below the info block, and they perform the task of making requests to target servers and finding if the template request was successful.
Each template file can contain multiple requests to be made. The template is iterated and one by one the desired requests are made to the target sites.
The best part of this is you can simply share your crafted template with your teammates, triage/security team to replicate the issue on the other side with ease.
The metadata nodes are crafted this way:
<engine>-query: '<query>' where:
<engine>is the search engine, equivalent of the value of the
-ueoption of nuclei or the
-eoption of uncover
<query>is the search query, equivalent of the value of the
-uqoption of nuclei or the
-qoption of uncover
For example for Shodan:
info: metadata: shodan-query: 'vuln:CVE-2021-26855'