Workflows enable users to orchestrate a series of actions by setting a defined execution order for various templates. These templates are activated upon predetermined conditions, establishing a streamlined method to leverage the capabilities of nuclei tailored to the user’s specific requirements. Consequently, you can craft workflows that are contingent on particular technologies or targets—such as those exclusive to WordPress or Jira—triggering these sequences only when the relevant technology is identified.
Within a workflow, all templates share a unified execution environment, which means that any named extractor from one template can be seamlessly accessed in another by simply referencing its designated name.
For those with prior knowledge of the technology stack in use, we advise constructing personalized workflows for your scans. This strategic approach not only substantially reduces the duration of scans but also enhances the quality and precision of the outcomes.
workflows attribute, following the template / subtemplates and tags to execute.
workflows:
- template: http/technologies/template-to-execute.yaml
- Generic workflows
- Conditional workflows
Generic Workflows
In generic workflow one can define single or multiple template to be executed from a single workflow file. It supports both files and directories as input.
A workflow that runs all config related templates on the list of give URLs.
workflows:
- template: http/exposures/configs/git-config.yaml
- template: http/exposures/configs/exposed-svn.yaml
- template: http/vulnerabilities/generic/generic-env.yaml
- template: http/exposures/backups/zip-backup-files.yaml
- tags: xss,ssrf,cve,lfi
workflows:
- template: http/cves/
- template: http/exposures/
- tags: exposures
Conditional Workflows
You can also create conditional templates which execute after matching the condition from a previous template. This is mostly useful for vulnerability detection and exploitation as well as tech based detection and exploitation. Use-cases for this kind of workflows are vast and varied.
Templates based condition check
A workflow that executes subtemplates when base template gets matched.
workflows:
- template: http/technologies/jira-detect.yaml
subtemplates:
- tags: jira
- template: exploits/jira/
workflows:
- template: http/technologies/tech-detect.yaml
matchers:
- name: vbulletin
subtemplates:
- template: exploits/vbulletin-exp1.yaml
- template: exploits/vbulletin-exp2.yaml
- name: jboss
subtemplates:
- template: exploits/jboss-exp1.yaml
- template: exploits/jboss-exp2.yaml
workflows:
- template: http/technologies/tech-detect.yaml
matchers:
- name: lotus-domino
subtemplates:
- template: http/technologies/lotus-domino-version.yaml
subtemplates:
- template: http/cves/2020/xx-yy-zz.yaml
subtemplates:
- template: http/cves/2020/xx-xx-xx.yaml
Shared Execution Context
Nuclei engine supports transparent workflow cookiejar and key-value sharing across templates parts of a same workflow. Here follow an example of a workflow that extract a value from the first template and use it in the second conditional one:
id: key-value-sharing-example
info:
name: Key Value Sharing Example
author: pdteam
severity: info
workflows:
- template: template-with-named-extractor.yaml
subtemplates:
- template: template-using-named-extractor.yaml
href links from a target web page body and make the value available under the extracted key:
# template-with-named-extractor.yaml
id: value-sharing-template1
info:
name: value-sharing-template1
author: pdteam
severity: info
http:
- path:
- "{{BaseURL}}/path1"
extractors:
- type: regex
part: body
name: extracted
regex:
- 'href="(.*)"'
group: 1
extracted):
# template-using-named-extractor.yaml
id: value-sharing-template2
info:
name: value-sharing-template2
author: pdteam
severity: info
http:
- raw:
- |
GET /path2 HTTP/1.1
Host: {{Hostname}}
{{extracted}}
