OWASP Top 10 Attack and Nuclei Scan Details Reports

[srikr]

I recently downloaded latest version(2.7.7) of nuclei with Nuclei Templates 9.2.1, I have following questions:

• How can I use nuclei to run OWASP Top 10 Attacks against my Web Server
• How can I use nuclei to run SANS Top 25 Attacks against my Web Server
• What is the Use of INTERACTSH Section as I see always the below Errors which forcing me to disable that Options
  [ERR] Could not initialize interactsh client: could not create client: could not register to servers: could not make register request: POST https://oast.site/register giving up after 1 attempts: Post "https://oast.site/register": read tcp <myip>:53042->178.128.16.97:443: read: connection reset by peer
• As the tests are getting completed in max 5 min, was wondering Does nuclei Do Full Scan of all the Web Server Paths
• Detailed report(Preferably in HTML Format) of the Vulnerabilities consisting of following:
  a) What Test was Performed and What is the Results(Request was Sent and Vulnerability in Response)
  b) What is the Expected Result
  c) What is the Actual Result
  d) Is the vulnerability assessment with High Confidence or with Low Confidence
  e) Suggestions to Fix and Reference Links

[forgedhallpass]

Have you checked out the documentation at https://nuclei.projectdiscovery.io/ or the CLI help?

How can I use nuclei to run OWASP Top 10 Attacks against my Web Server
How can I use nuclei to run SANS Top 25 Attacks against my Web Server

We haven't categorized our templates in that way, hence the short answer is that you can't, BUT you can control which ones to execute based on their tags.

E.g. nuclei -tags xss,sqli -vv <- this will show you all the templates that do xss or sql injection tests

What is the Use of INTERACTSH Section as I see always the below Errors which forcing me to disable that Options

Interactsh is a service which integrates seamlessly with nuclei to enable blind OOB testing (e.g. detecting SSRF). It either requires internet access or you need to deploy your own instance.

For more info check out the https://github.com/projectdiscovery/interactsh project.

As the tests are getting completed in max 5 min, was wondering Does nuclei Do Full Scan of all the Web Server Paths

Nuclei tests the given input (usually root domains) for specific vulnerabilities. It doesn't do fully automated crawling or fuzzing YET. Those are separate projects which aren't released publicly yet and will be integrated later on. The power of nuclei relies in the fact that you can write your own templates and can use it to easily integrate them into your CI/CD pipelines.

Detailed report(Preferably in HTML Format) of the Vulnerabilities consisting of following

Please read the documentation: https://nuclei.projectdiscovery.io/nuclei/get-started/#nuclei-reporting

Integration with other ProjectDiscovery tools:

If you would like additional details, you can ask them at our Discord channel.

[srikr]

Thanks @forgedhallpass for detailed response. Below is my understanding:

# ls /root/nuclei-templates
CODE_OF_CONDUCT.md        README_KR.md          cnvd               dns             fuzzing   miscellaneous     takeovers        wappalyzer-mapping.yml
CONTRIBUTING.md           TEMPLATES-STATS.json  contributors.json  exposed-panels  headless  misconfiguration  technologies     workflows
LICENSE.md                TEMPLATES-STATS.md    cves               exposures       helpers   network           token-spray
PULL_REQUEST_TEMPLATE.md  TOP-10.md             default-logins     file            iot       ssl               vulnerabilities

a) Running below command would execute all the attack tests:
nuclei -t /root/nuclei-templates -fr -ni -o report.txt -u https://<web-server-ip>
b) Looks like File(HTML or CSV) Based Report cannot be generated, For Reports one need to integrate with Git Hub or Jira or Git Lab. Am I correct?
c) Do we have a file which tells what all tests have executed, which one got Passed and which one got Failed and its Severity. I am seeing a report like this which only tells the problem but doesn't tell which request has caused this and what is the rational behind the test and what should be the fix.

# cat report.txt
[2022-09-27 20:42:20] [xss-deprecated-header-detect] [http] [info] https://<web-server-ip> [1; mode=block]
[2022-09-27 20:42:21] [self-signed-ssl] [ssl] [low] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:permission-policy] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:clear-site-data] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://<web-server-ip>
[2022-09-27 20:42:24] [http-missing-security-headers:access-control-max-age] [http] [info] https://<web-server-ip>
[2022-09-27 20:44:00] [swagger-api] [http] [info] https://<web-server-ip>/swagger/swagger-ui.js
[2022-09-27 20:44:13] [tls-version] [ssl] [info] https://<web-server-ip> [TLS12]
[2022-09-27 20:44:25] [openssh-detection] [network] [info] <web-server-ip>:22 [SSH-2.0-OpenSSH_8.2p1]

d) Currently Crawling/Fuzzing is not Supported. It should be possible by changing different URLs using Scripts.

[forgedhallpass]

a) That command will load all general purpose templates (~4000 if you use the official public templates only), excluding those that are tagged with fuzz or dos (~60). Those need to be enabled explicitly using the -itags flag. Disabling interactsh (it's not really recommended though because it's a very powerful feature) with -ni further reduces the potential for findings by around ~200 tests.

b) We have tickets created for HTML and PDF and they will be implemented at some point. Besides GitHub, GitLab and Jira, you can also export in Markdown, SARIF and Elasticsearch.

Example markdown report (nuclei -tags tech -me /tmp -u http://localhost:8081)

---

Wappalyzer Technology Detection (tech-detect:python) found on http://localhost:8081

---

Details: tech-detect:python matched at http://localhost:8081

Protocol: HTTP

Full URL: http://localhost:8081

Timestamp: Wed Sep 28 14:06:32 +0300 EEST 2022

Template Information

Key	Value
Name	Wappalyzer Technology Detection
Authors	hakluke
Tags	tech
Severity	info

Request

GET / HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

Response

HTTP/1.0 200 OK
Connection: close
Content-Length: 591
Content-Type: text/html; charset=utf-8
Date: Wed, 28 Sep 2022 11:06:32 GMT
Server: SimpleHTTP/0.6 Python/3.10.6

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".git/">.git/</a></li>
<li><a href=".idea/">.idea/</a></li>
<li><a href="cmd/">cmd/</a></li>
<li><a href="go.mod">go.mod</a></li>
<li><a href="go.sum">go.sum</a></li>
<li><a href="LICENSE">LICENSE</a></li>
<li><a href="pkg/">pkg/</a></li>
<li><a href="README.md">README.md</a></li>
</ul>
<hr>
</body>
</html>

CURL Command

curl -X 'GET' -d '' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36' 'http://localhost:8081'

---

Generated by Nuclei 2.7.7

Additionally you can use pandoc to generate a PDF from the exported MarkDown file.
We do not have plans on implementing CSV reports, but instead we have JSON:

{
  "template": "technologies/tech-detect.yaml",
  "template-url": "https://github.com/projectdiscovery/nuclei-templates/blob/master/technologies/tech-detect.yaml",
  "template-id": "tech-detect",
  "info": {
    "name": "Wappalyzer Technology Detection",
    "author": [
      "hakluke"
    ],
    "tags": [
      "tech"
    ],
    "reference": null,
    "severity": "info"
  },
  "matcher-name": "python",
  "type": "http",
  "host": "http://localhost:8081",
  "matched-at": "http://localhost:8081",
  "ip": "127.0.0.1",
  "timestamp": "2022-09-28T14:31:07.330193+03:00",
  "curl-command": "curl -X 'GET' -d '' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' 'http://localhost:8081'",
  "matcher-status": true,
  "matched-line": null
}

c) The findings are show on the STDOUT

[2022-09-27 20:42:20] [xss-deprecated-header-detect] [http]     [info]      https://<web-server-ip> [1; mode=block]
[     timestamp     ] [        template-id         ] [protocol] [severity]  URL                     [matcher or extractor]

, in the JSON file or the report of your choosing. If you have not enabled the JSON output or reporting, then you can look up the template by it's ID shown above.

Before providing targets and running the scan you can prepare your command and see what templates would be loaded.
e.g.

nuclei -tags atlassian -severity medium,high,critical -vv 

d) Not sure what do you mean by should be possible by changing different URLs. As mentioned in the previous response, and also if you open up a couple of templates you will see that the majority of them expect root URLs and they add the required paths automatically to do targeted checks.

That being said, this doesn't mean that it's not possible already to some extent. You can use different attack types (batteringram, pitchfork, clusterbomb) like in BurpSuite Intruder, you can reference external payload files and so on.

Example templates:

• https://github.com/projectdiscovery/nuclei-templates/blob/master/default-logins/abb/cs141-default-login.yaml
• https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/linux-lfi-fuzzing.yaml
• https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2017/CVE-2017-17562.yaml

The relevant documentation can be found under HTTP fuzzing.

Even though the majority of the templates require root URLs, there are still exceptions, like the tech-detect to which you can give full URLs and it will analyze the response to identify different services. If you'd like to achieve something similar then you could use a crawler (like gospider or hakrawler) and then pipe the results to nuclei.

If you would like to expand your attack surface, you could start from a domain or list of domains, use subfinder to identify subdomains, use dnsx to filter out those that do not resolve, search for open ports using naabu, identify web servers using httpx, do crawling with the above mentioned and pipe everything to nuclei for scanning.

Our tools are designed to be modular, but easily integratable (they can even be used as go libraries)/compatible with each other, meaning that you can easily pass the output of one tool as input to the other and so on. This gives a lot of freedom for customization and automation so that you can create complex workflows, cover corner-case scenarios that otherwise would not be possible, dig deeper into the inner workings of certain protocols and so on and so forth.

[srikr]

First of all Thanks @forgedhallpass for the very detailed response. Appreciate very much for that.

1. On the report side it would be really great if we get a report like this so that we know following:
   a) What test is run and what injection was performed
   b) Vulnerability Found or Possible Vulnerability on which URL
   c) What is the rationale of a test
   d) What is the solution to the issue found
   e) what is the actual Standard that is proposing the recommended solution
   Some Sample Screenshot:
   
   Sorry and Hope I am not asking too much.

2. When I said different URL I mean my web server has many features, To configure(POST and GET) different features it uses different URLs so if I want to test all the URLs I have to do following:
   a) Crawl using Tools like crawler (like gospider or hakrawler) which gives me list of URLs
   b) Need to write a script which takes this URL and run nuclei(basically all 4000 tests) on that URL one by one
   c) For each of the different URL I need a consolidated report, currently its ok if I get separate Report which can viewed individually.

3. I am fine to use interactsh but it always throws this error even if I have internet access:
   [ERR] Could not initialize interactsh client: could not create client: could not register to servers: could not make register request: POST https://oast.site/register giving up after 1 attempts: Post "https://oast.site/register": read tcp <myip>:53042->178.128.16.97:443: read: connection reset by peer
   I am not sure what URL and Token should I configure to use this Feature, since I am not configuring anything it tries to connect to default host: oast.site and fails. If you see below I am able to ping to oast.site but I am not able to register.

# ping oast.site
PING oast.site (178.128.16.97) 56(84) bytes of data.
64 bytes from oast.site (178.128.16.97): icmp_seq=1 ttl=43 time=40.6 ms
64 bytes from oast.site (178.128.16.97): icmp_seq=2 ttl=43 time=40.1 ms
64 bytes from oast.site (178.128.16.97): icmp_seq=3 ttl=43 time=40.1 ms
64 bytes from oast.site (178.128.16.97): icmp_seq=4 ttl=43 time=40.0 ms
64 bytes from oast.site (178.128.16.97): icmp_seq=5 ttl=43 time=40.1 ms 

For the remaining points Thanks again, I will try out tommorow and get back to you.

[geeknik]

We do not have plans on implementing CSV reports, but instead we have JSON:

If anyone needs to convert nuclei's JSON output to CSV, I wrote this little tool in Python.

https://github.com/geeknik/nuclei-json-to-csv/ 👍🏻