How I used Nuclei to Automate Basic Security Checks

 Nuclei by Project Discovery

Nuclei is an automation tool built by Project Discovery. The tool is open source and has various CVE Templates bundled with it. Also, the templates are updated on a regular basis. You can also create a customized template for your needs. 

 

Why I chose Nuclei as a DAST tool?

I've been doing Product Security Testing for one of my targets. We have found various categories of bugs manually, and considering the fact that the product is a growing one and the same bug may pop-out again, we have decided to automate the security cases that we have found earlier. The tools that I considered are Burp, ZAP automation, and later I got to know about Nuclei. 

I'm using the free version of Burp and it doesn't support automation, otherwise an excellent tool. ZAP is an open source tool, and it has so many options available but I feel it to be little complicated and find it difficult to use on a regular basis. 

On surfing Twitter and YouTube, I got to know about Nuclei by Project Discovery suggested by (https://twitter.com/stokfredrik). 

 

How I used the Tool?

I've used only the basic automation so far and it looked promising. Let me explain one such case, For one of the url server at the target's end, a parameter should be passed with encrypted value, something like a secured key which will be known only by the owner of the document. The key cannot be guessed or brute-forced, as it involves multiple randomization.

But in one such case, instead of passing the key, we tried to pass the account number belonging to the Account and the document is shown. This is true for any of the account and you can pass any of the account number to fetch the document of the account. This has been fixed now, but the problem is it's not possible to check this url manually after every build update. 

I used Nuclei to automate cases like this, The matchers are also basic, just a basic status code check "200" and a body message contains one of the Document's header will do the trick, and the target has various sub domains (around 500) on which I need to to check for the above case. 

It worked really well, and the initial results are absolutely promising. 

 

What's the one thing I loved about using Nuclei? 

It's the open community of the pd-team, their discord group. You can literally ask any of your doubts and the community members will respond at the earliest. I have one such situation, where sharing of access_token across various templates is not possible, and pinged the channel. They immediately responded me with the github issue link and the current status of the bug. Also suggested me of the workaround for such complicated cases. 


If you are going to start automating your security checks, Nuclei by Proeject Discovery is worth a try!!!

 

Thanks, 

d_night_fury

Comments

Post a Comment

Popular posts from this blog

Security Score Card using Nuclei Automation

Image
  Introduction Nuclei by Project Discovery is a great tool for automation, and I've started using the tool for automated scanning of vulnerabilities and for automated regression testing. I find it very useful in adding customized templates and get accurate results. Now for a complete automation, I've written python wrapper around my nuclei test cases and added the python script to the crontab. It may not be possible to automate 0-days, but once it is a 1-day, you should have an automation to check for the vulnerability, else someone else will find it. The Idea of Score Card: Everything works great, and my target is a fixed set of around 600 servers. I had an idea to build an executive level dashboard, that can calculate a score based on the results of the automation. So, I started to build a score-card using Site24x7,  The Logic: The logic is a weighted sum of the categories of issues found.  For example in a given scenario, Severity Score High 60  Medium 30  Low 10  The formul
Read more

Extracting Dynamic Values from Multiple Requests in a Nuclei Template

Introduction We are using Nuclei for all the Security Automation tasks. We create a lot of custom templates to automate custom Authenticated APIs. A major challenge that we faced in automating this is dependence on dynamic variables. Site24x7's APIs have various dynamic entities that are dependent on other APIs for data. You can find Site24x7 Rest API reference.  Problem Statement Let's take this example for this blog. To automate monitor addition in Site24x7, we need to call a POST API "https://www.site24x7.com/api/monitors" with some body content. But, the problem is body content has so many dependencies which are dependent on other APIs. For example to call the above api, we need threshold_profile, notification_profile, user_group_id. So, to get these three values, we have to call the three apis sequentially extract the ids and pass it on to the Monitor Addition API. Nuclei Extractors https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/ To ac
Read more