Closed Ameston closed 3 days ago
Can we disable template validation? It's not clear to me what the request is - it's nuclei that's rejecting the templates, not our code
Disabling template validation is probably the quickest solution; however, in the old version of Chariot we opted to fork and modify Nuclei to have support for the praetorian
YAML block. This way, we could tell when Nuclei templates were actually failing validation for real reasons (and not just the praetorian
YAML block). The request is to support templates leveraging this newly merged feature because it is currently unusable.
I'd like to avoid forking nuclei unless absolutely necessary; that slows down the process of upgrading nuclei significantly and gives us another component to maintain. Between those two options disabling validation is my strong preference. I'd like to explore if there's a way to modify the metadata such that it validates though. @Ameston has MSP tried any other formatting that might allow the templates to validate? We can always change the parsing code.
For example, we might be able to use this
-nss
is another option vs disabling all validation
I'd like to avoid forking nuclei unless absolutely necessary;
Absolutely, me too.
I've been doing some digging, and I believe I found the issue. It looks like Aashish's initial proposal leveraged the metadata
tag. I just tested locally, and the templates pass validation if the praetorian
block is moved there. It looks like the solution @UNC1739 implemented leverages the meta
tag.
Edit: This is incorrect. Adam's solution uses metadata
. I was incorrectly using Weber's example template as the source of truth.
@Ameston can you send me an example that passes validation? I'll adjust the backend code to match
id: detect-web-login-page
info:
name: Detect Web Login Page
author: michaelweber
severity: info
description: |
This template detects the presence of a web login page by checking for input tags and keywords commonly associated with login forms.
metadata:
praetorian:
detection: true
attributes:
type: "Login Page Detection"
tags: web, login
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- "contains(tolower(body), '<input') && ((contains(tolower(body), 'login') ? 1 : 0) + (contains(tolower(body), 'log in') ? 1 : 0) + (contains(tolower(body), 'forgot') ? 1 : 0) + (contains(tolower(body), 'password') ? 1 : 0) + (contains(tolower(body), 'signup') ? 1 : 0) + (contains(tolower(body), 'sign-up') ? 1 : 0) + (contains(tolower(body), 'sign up') ? 1 : 0) + (contains(tolower(body), 'register') ? 1 : 0) >= 2)"
name: login_word_matches
Ah - this is what we already have, I misunderstood. I think we're good then?
Info struct {
Description string `json:"description"`
Severity string `json:"severity"`
Author []string `json:"author"`
Metadata struct {
Praetorian struct {
Detection bool `json:"detection"`
Attributes map[string]string `json:"attributes"`
} `json:"praetorian"`
} `json:"metadata"`
Recently, support was added to create
Attributes Based on Nuclei Templates
; however, the changes required to leverage that feature cause Nuclei templates to fail validation. As a result, they will not be used for scanning.