Custom Nuclei Templates and Workflows

Custom Nuclei templates and workflows allow clients to run their own specialized security checks alongside Prancer's built-in scans. This feature enables you to tailor your security assessments to your specific needs and environment.

Overview

Prancer's platform supports custom Nuclei templates and workflows, allowing you to leverage the power of Nuclei's flexible and extensible scanning capabilities. If Nuclei can run a template or workflow, Prancer can incorporate it into your security assessment process.

Setting Up Custom Templates and Workflows

To use custom Nuclei templates and workflows with Prancer, follow these steps:

  1. Create a Git repository to host your custom templates and workflows.
  2. In the root of your repository, create a directory, eg: attacktemplate, for your nuclei template or set of templates and add metadata.yaml file inside the directory. (you can have multiple directories for multiple sets of nuclei scans)
  3. Properly fill in the metadata.yaml file according to the required format (see example below).
  4. Add your custom Nuclei templates and workflows to the repository.

metadata.yaml Example

Here's an example of a metadata.yaml file for custom Nuclei templates and workflows:

Name: Nuclei
Technology: standalone
Type: active
Engine: golang
Description: run nuclei
UploadEnabled: true
UploadSource: nuclei-results/nuclei-results.json
IgnoreOutput: true
ScanType: nuclei
DefaultTemplate: true
WorkflowTemplate: true
CustomTemplate: true
TemplatePaths:
  - custom-nuclei-templates
  - workflow-templates
UploadFileFormats:
  - json
Charset: UTF-8
Tags:
  cloud : nuclei,api
  Type: Blackbox, Webscan
Params:
  Target: '{{.Target}}'
  Command: ''

Folder Structure for Custom Nuclei Templates and Workflows

When setting up your custom Nuclei templates and workflows for use with Prancer, your repository should follow a structure similar to this:

<eg: attacktemplate>
├── custom-nuclei-templates
│   └── hello.yaml
├── metadata.yaml
└── workflow-templates
│   └── template
│       └── test.yaml
└── workflow.yaml

Let's break down each component:

  1. metadata.yaml: This file at the root of your new directory configures how Prancer will run your custom Nuclei templates and workflows.

  2. custom-nuclei-templates: This directory contains your custom Nuclei templates. In this example, there's a single template named hello.yaml.

  3. workflow-templates: This directory is for organizing your Nuclei workflows.

  4. The template subdirectory can contain additional templates used specifically in workflows.
  5. The workflow.yaml file defines the workflow itself, orchestrating how multiple templates are executed.

Setting Up Your Repository

To use custom Nuclei templates and workflows with Prancer:

  1. Create a Git repository with the structure shown above.
  2. Place your custom Nuclei templates in the custom-nuclei-templates directory.
  3. If you're using workflows, place the workflow definition in workflow-templates/workflow.yaml and any workflow-specific templates in workflow-templates/template/.
  4. Ensure your metadata.yaml file is properly configured to point to these directories.

Configurable Items in metadata.yaml

The following table explains the key configurable items in the metadata.yaml file that end users might need to modify:

Configuration Item Description Possible Values
DefaultTemplate Enables the use of default Nuclei templates true or false
WorkflowTemplate Enables the use of Nuclei workflow templates true or false
CustomTemplate Enables the use of custom Nuclei templates true or false
TemplatePaths Specifies the directories containing templates and workflows List of directory paths, e.g.:
- custom-nuclei-templates
- workflow-templates
Tags Categorizes the scan for easier management and filtering Key-value pairs, e.g.:
cloud: nuclei,api
Type: Blackbox, Webscan
Params Defines parameters for the Nuclei scan Key-value pairs, e.g.:
Target: '{{.Target}}'
Command: ''

Explanation of Key Items:

  • DefaultTemplate, WorkflowTemplate, CustomTemplate: These boolean flags determine which types of templates Nuclei will use during the scan. Enable (true) or disable (false) as needed.

  • TemplatePaths: List the directories where your templates and workflows are stored. Prancer will look in these directories to find the Nuclei templates and workflows to execute.

  • Tags: Use these to categorize your scan. This can be helpful for organizing and filtering results later.

  • Params:

  • Target: Typically set to '{{.Target}}', which allows Prancer to dynamically insert the target URL or IP.
  • Command: Can be left empty ('') for default behavior, or if you specify Nuclei command-line, it will used as is. Use default.

Adjust these configurations based on your specific requirements and the structure of your custom templates and workflows.

Integration with Prancer

Custom Nuclei templates and workflows run natively within the Prancer platform. They are executed alongside other security checks, providing a comprehensive security assessment.

To configure the execution of your custom templates and workflows, use the settings specified in the metadata.yaml file. This file controls various aspects of the scan, including:

  • Scan type and technology
  • Upload settings for results
  • Template and workflow paths
  • Supported file formats
  • Tags for categorization
  • Parameters for the scan execution

Best Practices

While there are no specific limitations on custom Nuclei templates and workflows (if Nuclei can run it, Prancer can integrate it), consider the following best practices:

  1. Organize your templates and workflows logically within your Git repository.
  2. Use clear, descriptive names for your templates and workflows.
  3. Comment your templates thoroughly to explain their purpose and functionality.
  4. Regularly update your custom templates to address new vulnerabilities or changes in your environment.
  5. Test your custom templates thoroughly before integrating them into your production security assessments.

Example Implementation

Here's a simple example of how a custom Nuclei template might be implemented:

id: custom-header-check
info:
  name: Custom Security Header Check
  author: Your Name
  severity: medium
  description: Checks for the presence of a custom security header

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Custom-Security-Header"
        part: header

This template checks for the presence of a custom security header in the response. You would save this as a .yaml file in your Git repository, and Prancer would execute it as part of your security assessment. By leveraging custom Nuclei templates and workflows, you can extend Prancer's capabilities to address your organization's unique security requirements and assessment needs.