One of our favourite tools for dynamic security testing (DAST) is Nuclei by Project Discovery. It's one of the most lightweight, easy-to-use vulnerability scanners, but it's also got one unique feature that sets it apart from most other scan tools: templates.
If you want to learn the basics of what Nuclei templates are and why they're so useful, check out this article.
But in a nutshell, templates are YAML-based files which act as instructions that tell Nuclei what vulnerabilities to look for.
Most scanners maintain a vulnerability database, so when they perform a scan, they cross-reference their findings with the database to see if they found a vulnerability. This leads to far more false positives in the results, since the scanner is doing a 'broad sweep' for a large number of vulnerabilities.
Templates, however, let Nuclei target and find specific vulnerabilities in the software. This allows Nuclei to avoid the unnecessary load of false positives that you'd normally get from other tools.
Let's take a deep-dive into templates, workflows, and how Nuclei scans applications.
A typical Nuclei template consists of 5 parts or sections. Let's take the example of this template, which is designed to find email disclosure vulnerabilities.
Nuclei interprets the template as a set of instructions that tell it what kind of vulnerabilities it needs to identify.
What makes Nuclei endlessly customisable is the fact that you can write your own templates to suit your specific use case. You can even choose from a massive selection of templates created by Project Discovery themselves, or templates made by the community.
If you thought it would be too slow to look for individual vulnerabilities with Nuclei templates, don't worry!
You can feed multiple templates into the Nuclei engine, each of which can identify a different vulnerability. First, the Nuclei engine runs the scan on the target application. It then generates results in two simple forms: 'Yes' if the vulnerability is found, and 'No' if it's not found.
Pretty simple right?
But there's more: Nuclei can be automated for DevSecOps. That means you can scale up your vulnerability scanning even on an enterprise workflow.
BTW, check out our full course on how to use and automate Nuclei.
In this example, we have 'N' number of releases of the application. After each new release, we can run the entire suite of Nuclei templates on that release.
If the scan finds any of the vulnerabilities specified in the templates, the release is denied.
Automating your Nuclei scans is the next step to take your dynamic testing (DAST) to the next level. As you just saw, Nuclei scans can even be part of your CI/CD pipeline for DevSecOps.
We've got 10 courses in DevSecOps, including one on Nuclei automation:
Ready to give it a go? Pick your AppSecEngineer plan now and start learning!
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.