Automating Bug Bounties with Nuclei: Harnessing the Power of Custom Templates

Hello, amazing Hackers! I am Bhavarth Karmarkar, Security Engineer Intern at BugBase, and welcome to this comprehensive guide on "Automating Bug Bounties with Nuclei." In this post, we will delve into the intricacies of Nuclei, an open-source vulnerability scanner, and explore the art of crafting custom templates to supercharge your bug hunting endeavors.

Table of Contents

1. [Why Use Custom Templates?]
2. [The Basics of Writing Custom Templates]
3. [Fuzzing Techniques for Vulnerability Detection]
4. [Debugging and Validation]

Why Use Custom Templates?

In the realm of bug bounties, relying solely on default templates can make you just another script kiddie. Custom templates not only set you apart but also cater to the uniqueness of your target vulnerabilities. Here's why:

1. Targeted Scanning

When dealing with specific technologies or vulnerabilities not covered in default templates, custom templates shine. For instance, if a target organization predominantly uses an "nginx" server, crafting a custom workflow template for "nginx" specific checks can save time and lead to more focused results.

1id: nginx-workflow
2info:
3  name: Nginx workflow
4  author: <author>
5  description: A workflow for running Nginx-related nuclei templates on a given target.
6workflows:
7  - template: http/technologies/nginx/nginx-detect.yaml
8    subtemplates:
9      - tags: nginx
10

2. Custom Reporting

Tailor your reporting based on your environment's requirements. Whether automating bug bounty platform submissions or integrating with internal tracking systems like Jira, custom reporting templates empower users to prioritize their workflow effectively.

1# GitHub configuration for GitHub issue tracker
2github: 
3  username: "$user"
4  owner: "$user"
5  token: "$token"
6  project-name: "testing-project"
7  issue-label: "Nuclei"
8

3. Adapting to Evolving Threats

Stay ahead of the game by creating templates to test for specific CVEs, 0-Days, or novel attack vectors across various targets. For instance, a template for CVE-2023-32315 might look like this:

1id: CVE-2023-32315
2info:
3  name: Administration Console Authentication Bypass in Openfire Console
4  author: <author>
5  severity: high
6  description: |
7    <redacted>
8  remediation: |
9    <redacted>
10  reference:
11    - https://github.com/advisories/GHSA-gw42-f939-fhvm
12    - https://nvd.nist.gov/vuln/detail/CVE-2023-32315
13  classification:
14    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
15    cvss-score: 8.6
16    cve-id: CVE-2023-32315
17    cwe-id: CWE-22
18  metadata:
19    max-request: 1
20    verified: true
21    shodan-query: title:"openfire"
22  tags: cve,cve2023,auth-bypass,openfire,console
23http:
24  - raw:
25      - |+
26        GET /setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp HTTP/1.1
27        Host: {{Hostname}}
28        Origin: {{BaseURL}}
29    unsafe: true
30    matchers-condition: and
31    matchers:
32      - type: word
33        part: body
34        words:
35          - "apache"
36          - "java"
37          - "openfire"
38          - "jivesoftware"
39        condition: and
40      - type: status
41        status:
42          - 200
43

4. Building PoCs for Vulnerabilities

Craft templates not just for detecting vulnerabilities but also for developing Proof of Concept (PoC) demonstrations. Simplify the reproduction efforts for triage teams, developers, and internal security teams.

1id: race-condition-testing
2info:
3  name: Race Condition testing
4  author: <author>
5  severity: info
6http:
7  - raw:
8      - |
9        POST /coupons HTTP/1.1
10        Host: {{Hostname}}
11        Pragma: no-cache
12        Cache-Control: no-cache, no-transform
13        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
14        Cookie: user_session=42332423342987567896
15        promo_code=20OFF        
16    race: true
17    race_count: 10
18    matchers:
19      - type: status
20        part: header
21        status:
22          - 200
23

5. Retesting Vulnerabilities

Automate the detection of known vulnerabilities across different environments with custom templates. Ensure that identified vulnerabilities are consistently retested and addressed.

1id: wp-socialfit-xss
2info:
3  name: WordPress Plugin SocialFit - 'msg' Cross-Site Scripting
4  author: <author>
5  severity: medium
6  description: |
7    SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
8  reference: |
9    - https://www.exploit-db.com/exploits/37481
10  tags: wordpress,xss,wp-plugin
11requests:
12  - method: GET
13    path:
14      - '{{BaseURL}}/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%281%29%3C/script%3E'
15    matchers-condition: and
16    matchers:
17      - type: word
18        part: body
19        words:
20          - '<script>alert(1)</script>'
21      - type: word
22        part: header
23        words:
24          - "text/html"
25      - type: status
26        status:
27          - 200
28

6. Regression Testing

Perform crucial regression testing with custom templates. Ensure that identified vulnerabilities continue to be detected in subsequent builds, promoting a robust security assessment. ProjectDiscovery's diagram illustrating nuclei custom templates for regression testing

The Basics of Writing Custom Templates

Now, let's shift our focus to the basics of crafting custom templates. A template should contain essential information such as the template id, template info, data to send to the remote host, and instructions on how to analyze the response.

1id: htpasswd
2info:
3  name: Detect exposed .htpasswd files
4  author: <author>
5  severity: info
6  tags: config,exposure
7requests:
8  - method: GET
9    path:
10      - "{{BaseURL}}/.htpasswd"
11    matchers-condition: and
12    matchers:
13      - type: word
14        words:
15          - ":{SHA}"
16          - ":$apr1$"
17          - ":$2y$"
18        condition: or
19      - type: status
20        status:
21          - 200
22

Breaking it down:

• id: Unique identifier for the template.
• info: Metadata about the template, including name, author, severity, and tags.
• requests: Defines the HTTP request(s) to be sent to the remote host.
• matchers: Specifies how to analyze the response for potential vulnerabilities.

Fuzzing Techniques for Vulnerability Detection

Fuzzing, a technique involving sending unexpected or malformed data to a software application, plays a vital role in security testing. Nuclei templates automate fuzzing, allowing you to define the base request, injection points, and response analysis. Let's consider a simple template for fuzzing web services to discover undocumented HTTP request headers:

1id: my-test-nuclei-template
2info:
3  name: X Debug header fuzzing
4  author: <author>
5  severity: info
6  description: Discover x-*-debug request headers
7requests:
8  - raw:
9      - |
10        GET / HTTP/1.1
11        Host: {{Hostname}}
12        X-{{fuzz}}-debug: 1
13    redirects: true
14    attack: batteringram
15    payloads:
16      fuzz: /var/tmp/fuzz.txt
17

Breaking it down:

• raw: Allows full control over the HTTP request.
• payloads: Specifies the fuzzing injection point and payload list.
• attack: Defines the fuzzing mode (e.g., batteringram, pitchfork, clusterbomb).
• matchers: Specifies how to analyze the response.

Debugging and Validation

Debugging is an integral part of template development. Nuclei offers several debugging features to troubleshoot template behavior:

• Validate (-validate): Ensures the template syntax is correct.
• Verbose Output (-verbose | -v): Prints verbose output generated by templates.
• Debug (-debug): Prints all requests and responses made by the template.
• Proxy (-p): Allows inspection of requests and responses using an external tool. For example:

1nuclei -l targets.txt -t my-template.yaml -validate
2nuclei -l targets.txt -t my-template.yaml -v
3nuclei -l targets.txt -t my-template.yaml -debug
4nuclei -l targets.txt -t my-template.yaml -p http://127.0.0.1:8080
5

These debugging options facilitate effective troubleshooting and refinement of your custom templates.

There you have it – a comprehensive guide on automating bug bounties with Nuclei through the creation and utilization of custom templates. Experiment, adapt, and elevate your bug hunting game with the power of tailored vulnerability scanning. Happy hacking! Stay tuned for more insightful content, and feel free to connect with me on LinkedIn for discussions and collaborations.