zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

510
skills/appsec/dast-nuclei/SKILL.md Normal file
View File

@@ -0,0 +1,510 @@
---
name: dast-nuclei
description: >
Fast, template-based vulnerability scanning using ProjectDiscovery's Nuclei with extensive community
templates covering CVEs, OWASP Top 10, misconfigurations, and security issues across web applications,
APIs, and infrastructure. Use when: (1) Performing rapid vulnerability scanning with automated CVE
detection, (2) Testing for known vulnerabilities and security misconfigurations in web apps and APIs,
(3) Running template-based security checks in CI/CD pipelines with customizable severity thresholds,
(4) Creating custom security templates for organization-specific vulnerability patterns, (5) Scanning
multiple targets efficiently with concurrent execution and rate limiting controls.
version: 0.1.0
maintainer: SirAppSec
category: appsec
tags: [dast, nuclei, vulnerability-scanning, cve, owasp, api-testing, automation, templates]
frameworks: [OWASP, CWE, CVE]
dependencies:
tools: [nuclei]
optional: [docker, git]
references:
- https://docs.projectdiscovery.io/tools/nuclei/overview
- https://github.com/projectdiscovery/nuclei
- https://github.com/projectdiscovery/nuclei-templates
---
# DAST with Nuclei
## Overview
Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery that uses YAML templates to detect
security vulnerabilities, misconfigurations, and exposures across web applications, APIs, networks, and cloud
infrastructure. With 7,000+ community templates covering CVEs, OWASP vulnerabilities, and custom checks, Nuclei
provides efficient automated security testing with minimal false positives.
## Quick Start
### Installation
```bash
# Install via Go
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or using Docker
docker pull projectdiscovery/nuclei:latest
# Update templates (automatically downloads 7000+ community templates)
nuclei -update-templates
```
### Basic Vulnerability Scan
```bash
# Scan single target with all templates
nuclei -u https://target-app.com
# Scan with specific severity levels
nuclei -u https://target-app.com -severity critical,high
# Scan multiple targets from file
nuclei -list targets.txt -severity critical,high,medium -o results.txt
```
### Quick CVE Scan
```bash
# Scan for specific CVEs
nuclei -u https://target-app.com -tags cve -severity critical,high
# Scan for recent CVEs
nuclei -u https://target-app.com -tags cve -severity critical -template-condition "contains(id, 'CVE-')"
```
## Core Workflow
### Workflow Checklist
Progress:
[ ] 1. Install Nuclei and update templates to latest version
[ ] 2. Define target scope (URLs, domains, IP ranges)
[ ] 3. Select appropriate templates based on target type and risk tolerance
[ ] 4. Configure scan parameters (rate limiting, severity, concurrency)
[ ] 5. Execute scan with proper authentication if needed
[ ] 6. Review findings, filter false positives, and verify vulnerabilities
[ ] 7. Map findings to OWASP/CWE frameworks
[ ] 8. Generate security report with remediation guidance
Work through each step systematically. Check off completed items.
### Step 1: Template Selection and Target Scoping
Identify target applications and select relevant template categories:
```bash
# List available template categories
nuclei -tl
# List templates by tag
nuclei -tl -tags owasp
nuclei -tl -tags cve,misconfig
# Show template statistics
nuclei -tl -tags cve -severity critical | wc -l
```
**Template Categories:**
- **cve**: Known CVE vulnerabilities (7000+ CVE templates)
- **owasp**: OWASP Top 10 vulnerabilities
- **misconfig**: Common security misconfigurations
- **exposed-panels**: Admin panels and login pages
- **takeovers**: Subdomain takeover vulnerabilities
- **default-logins**: Default credentials
- **exposures**: Sensitive file and data exposures
- **tech**: Technology detection and fingerprinting
**Target Scoping Best Practices:**
- Create target list excluding third-party services
- Group targets by application type for focused scanning
- Define exclusions for sensitive endpoints (payment, logout, delete actions)
### Step 2: Configure Scan Parameters
Set appropriate rate limiting and concurrency for target environment:
```bash
# Conservative scan (avoid overwhelming target)
nuclei -u https://target-app.com \
-severity critical,high \
-rate-limit 50 \
-concurrency 10 \
-timeout 10
# Aggressive scan (faster, higher load)
nuclei -u https://target-app.com \
-severity critical,high,medium \
-rate-limit 150 \
-concurrency 25 \
-bulk-size 25
```
**Parameter Guidelines:**
- **rate-limit**: Requests per second (50-150 typical, lower for production)
- **concurrency**: Parallel template execution (10-25 typical)
- **bulk-size**: Parallel host scanning (10-25 for multiple targets)
- **timeout**: Per-request timeout in seconds (10-30 typical)
For CI/CD integration patterns, see `scripts/nuclei_ci.sh`.
### Step 3: Execute Targeted Scans
Run scans based on security objectives:
**Critical Vulnerability Scan:**
```bash
# Focus on critical and high severity issues
nuclei -u https://target-app.com \
-severity critical,high \
-tags cve,owasp \
-o critical-findings.txt \
-json -jsonl-export critical-findings.jsonl
```
**Technology-Specific Scan:**
```bash
# Scan specific technology stack
nuclei -u https://target-app.com -tags apache,nginx,wordpress,drupal
# Scan for exposed sensitive files
nuclei -u https://target-app.com -tags exposure,config
# Scan for authentication issues
nuclei -u https://target-app.com -tags auth,login,default-logins
```
**API Security Scan:**
```bash
# API-focused security testing
nuclei -u https://api.target.com \
-tags api,graphql,swagger \
-severity critical,high,medium \
-header "Authorization: Bearer $API_TOKEN"
```
**Custom Template Scan:**
```bash
# Scan with organization-specific templates
nuclei -u https://target-app.com \
-t custom-templates/ \
-t nuclei-templates/http/cves/ \
-severity critical,high
```
### Step 4: Authenticated Scanning
Perform authenticated scans for complete coverage:
```bash
# Scan with authentication headers
nuclei -u https://target-app.com \
-header "Authorization: Bearer $AUTH_TOKEN" \
-header "Cookie: session=$SESSION_COOKIE" \
-tags cve,owasp
# Scan with custom authentication using bundled script
python3 scripts/nuclei_auth_scan.py \
--target https://target-app.com \
--auth-type bearer \
--token-env AUTH_TOKEN \
--severity critical,high \
--output auth-scan-results.jsonl
```
For OAuth, SAML, and MFA scenarios, see `references/authentication_patterns.md`.
### Step 5: Results Analysis and Validation
Review findings and eliminate false positives:
```bash
# Parse JSON output for high-level summary
python3 scripts/parse_nuclei_results.py \
--input critical-findings.jsonl \
--output report.html \
--group-by severity
# Filter and verify findings
nuclei -u https://target-app.com \
-tags cve \
-severity critical \
-verify \
-verbose
```
**Validation Workflow:**
1. Review critical findings first (immediate action required)
2. Verify each finding manually (curl, browser inspection, PoC testing)
3. Check for false positives using `references/false_positive_guide.md`
4. Map confirmed vulnerabilities to OWASP Top 10 using `references/owasp_mapping.md`
5. Cross-reference with CWE classifications for remediation patterns
**Feedback Loop Pattern:**
```bash
# 1. Initial scan
nuclei -u https://target-app.com -severity critical,high -o scan1.txt
# 2. Apply fixes to identified vulnerabilities
# 3. Re-scan to verify remediation
nuclei -u https://target-app.com -severity critical,high -o scan2.txt
# 4. Compare results to ensure vulnerabilities are resolved
diff scan1.txt scan2.txt
```
### Step 6: Reporting and Remediation Tracking
Generate comprehensive security reports:
```bash
# Generate detailed report with OWASP/CWE mappings
python3 scripts/nuclei_report_generator.py \
--input scan-results.jsonl \
--output security-report.html \
--format html \
--include-remediation \
--map-frameworks owasp,cwe
# Export to SARIF for GitHub Security tab
nuclei -u https://target-app.com \
-severity critical,high \
-sarif-export github-sarif.json
```
See `assets/report_templates/` for customizable report formats.
## Automation & CI/CD Integration
### GitHub Actions Integration
```yaml
# .github/workflows/nuclei-scan.yml
name: Nuclei Security Scan
on: [push, pull_request]
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.target-app.com
severity: critical,high
templates: cves,owasp,misconfig
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: nuclei.sarif
```
### Docker-Based CI/CD Scanning
```bash
# Run in CI/CD pipeline with Docker
docker run --rm \
-v $(pwd):/reports \
projectdiscovery/nuclei:latest \
-u $TARGET_URL \
-severity critical,high \
-json -jsonl-export /reports/nuclei-results.jsonl
# Check exit code and fail build on critical findings
if grep -q '"severity":"critical"' nuclei-results.jsonl; then
echo "Critical vulnerabilities detected!"
exit 1
fi
```
### Advanced Automation with Custom Scripts
```bash
# Automated multi-target scanning with parallel execution
./scripts/nuclei_bulk_scanner.sh \
--targets-file production-apps.txt \
--severity critical,high \
--slack-webhook $SLACK_WEBHOOK \
--output-dir scan-reports/
# Scheduled vulnerability monitoring
./scripts/nuclei_scheduler.sh \
--schedule daily \
--targets targets.txt \
--diff-mode \
--alert-on new-findings
```
For complete CI/CD integration examples, see `scripts/ci_integration_examples/`.
## Custom Template Development
Create organization-specific security templates:
```yaml
# custom-templates/api-key-exposure.yaml
id: custom-api-key-exposure
info:
name: Custom API Key Exposure Check
author: security-team
severity: high
description: Detects exposed API keys in custom application endpoints
tags: api,exposure,custom
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/config"
- "{{BaseURL}}/.env"
matchers-condition: and
matchers:
- type: word
words:
- "api_key"
- "secret_key"
- type: status
status:
- 200
extractors:
- type: regex
name: api_key
regex:
- 'api_key["\s:=]+([a-zA-Z0-9_-]{32,})'
```
**Template Development Resources:**
- `references/template_development.md` - Complete template authoring guide
- `assets/template_examples/` - Sample templates for common patterns
- [Nuclei Template Guide](https://docs.projectdiscovery.io/templates/introduction)
## Security Considerations
- **Authorization**: Obtain explicit written permission before scanning any systems not owned by your organization
- **Rate Limiting**: Configure appropriate rate limits to avoid overwhelming target applications or triggering DDoS protections
- **Production Safety**: Use conservative scan parameters (rate-limit 50, concurrency 10) for production environments
- **Sensitive Data**: Scan results may contain sensitive URLs, parameters, and application details - sanitize before sharing
- **False Positives**: Manually verify all critical and high severity findings before raising security incidents
- **Access Control**: Restrict access to scan results and templates containing organization-specific vulnerability patterns
- **Audit Logging**: Log all scan executions, targets, findings severity, and remediation actions for compliance
- **Legal Compliance**: Adhere to computer fraud and abuse laws; unauthorized scanning may violate laws
- **Credentials Management**: Never hardcode credentials in templates; use environment variables or secrets management
- **Scope Validation**: Double-check target lists to avoid scanning third-party or out-of-scope systems
## Bundled Resources
### Scripts (`scripts/`)
- `nuclei_ci.sh` - CI/CD integration wrapper with exit code handling and artifact generation
- `nuclei_auth_scan.py` - Authenticated scanning with multiple authentication methods (Bearer, API key, Cookie)
- `nuclei_bulk_scanner.sh` - Parallel scanning of multiple targets with aggregated reporting
- `nuclei_scheduler.sh` - Scheduled scanning with diff detection and alerting
- `parse_nuclei_results.py` - JSON/JSONL parser for generating HTML/CSV reports with severity grouping
- `nuclei_report_generator.py` - Comprehensive report generator with OWASP/CWE mappings and remediation guidance
- `template_validator.py` - Custom template validation and testing framework
### References (`references/`)
- `owasp_mapping.md` - OWASP Top 10 mapping for Nuclei findings
- `template_development.md` - Custom template authoring guide
- `authentication_patterns.md` - Advanced authentication patterns (OAuth, SAML, MFA)
- `false_positive_guide.md` - False positive identification and handling
### Assets (`assets/`)
- `github_actions.yml` - GitHub Actions workflow with SARIF export
- `nuclei_config.yaml` - Comprehensive configuration template
## Common Patterns
### Pattern 1: Progressive Severity Scanning
Start with critical vulnerabilities and progressively expand scope:
```bash
# Stage 1: Critical vulnerabilities only (fast)
nuclei -u https://target-app.com -severity critical -o critical.txt
# Stage 2: High severity if critical issues found
if [ -s critical.txt ]; then
nuclei -u https://target-app.com -severity high -o high.txt
fi
# Stage 3: Medium/Low for comprehensive assessment
nuclei -u https://target-app.com -severity medium,low -o all-findings.txt
```
### Pattern 2: Technology-Specific Scanning
Focus on known technology stack vulnerabilities:
```bash
# 1. Identify technologies
nuclei -u https://target-app.com -tags tech -o tech-detected.txt
# 2. Parse detected technologies
TECHS=$(grep -oP 'matched at \K\w+' tech-detected.txt | sort -u)
# 3. Scan for technology-specific vulnerabilities
for tech in $TECHS; do
nuclei -u https://target-app.com -tags $tech -severity critical,high -o vulns-$tech.txt
done
```
### Pattern 3: Multi-Stage API Security Testing
Comprehensive API security assessment:
```bash
# Stage 1: API discovery and fingerprinting
nuclei -u https://api.target.com -tags api,swagger,graphql -o api-discovery.txt
# Stage 2: Authentication testing
nuclei -u https://api.target.com -tags auth,jwt,oauth -o api-auth.txt
# Stage 3: Known API CVEs
nuclei -u https://api.target.com -tags api,cve -severity critical,high -o api-cves.txt
# Stage 4: Business logic testing with custom templates
nuclei -u https://api.target.com -t custom-templates/api/ -o api-custom.txt
```
### Pattern 4: Continuous Security Monitoring
```bash
# Daily scan with diff detection
nuclei -u https://production-app.com \
-severity critical,high -tags cve \
-json -jsonl-export scan-$(date +%Y%m%d).jsonl
# Use bundled scripts for diff analysis and alerting
```
## Integration Points
- **CI/CD**: GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure DevOps, Travis CI
- **Issue Tracking**: Jira, GitHub Issues, ServiceNow, Linear (via SARIF or custom scripts)
- **Security Platforms**: Defect Dojo, Splunk, ELK Stack, SIEM platforms (via JSON export)
- **Notification**: Slack, Microsoft Teams, Discord, PagerDuty, email (via webhook scripts)
- **SDLC**: Pre-deployment scanning, security regression testing, vulnerability monitoring
- **Cloud Platforms**: AWS Lambda, Google Cloud Functions, Azure Functions (serverless scanning)
- **Reporting**: HTML, JSON, JSONL, SARIF, Markdown, CSV formats
## Troubleshooting
Common issues and solutions:
- **Too Many False Positives**: Filter by severity (`-severity critical,high`), exclude tags (`-etags tech,info`). See `references/false_positive_guide.md`
- **Incomplete Coverage**: Verify templates loaded (`nuclei -tl | wc -l`), update templates (`nuclei -update-templates`)
- **Rate Limiting/WAF**: Reduce aggressiveness (`-rate-limit 20 -concurrency 5 -timeout 15`)
- **High Resource Usage**: Reduce parallelism (`-concurrency 5 -bulk-size 5`)
- **Auth Headers Not Working**: Debug with `-debug`, verify token format, see `references/authentication_patterns.md`
## References
- [Nuclei Documentation](https://docs.projectdiscovery.io/tools/nuclei/overview)
- [Nuclei Templates Repository](https://github.com/projectdiscovery/nuclei-templates)
- [OWASP Top 10](https://owasp.org/Top10/)
- [CWE Database](https://cwe.mitre.org/)

9
skills/appsec/dast-nuclei/assets/.gitkeep Normal file
View File

@@ -0,0 +1,9 @@
# Assets Directory
Place files that will be used in the output Claude produces:
- Templates
- Configuration files
- Images/logos
- Boilerplate code
These files are NOT loaded into context but copied/modified in output.

357
skills/appsec/dast-nuclei/assets/ci-config-template.yml Normal file
View File

@@ -0,0 +1,357 @@
# Security-Enhanced CI/CD Pipeline Template
#
# This template demonstrates security best practices for CI/CD pipelines.
# Adapt this template to your specific security tool and workflow needs.
#
# Key Security Features:
# - SAST (Static Application Security Testing)
# - Dependency vulnerability scanning
# - Secrets detection
# - Infrastructure-as-Code security scanning
# - Container image scanning
# - Security artifact uploading for compliance
name: Security Scan Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run weekly security scans on Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual trigger
# Security: Restrict permissions to minimum required
permissions:
contents: read
security-events: write # For uploading SARIF results
pull-requests: write # For commenting on PRs
env:
# Configuration
SECURITY_SCAN_FAIL_ON: 'critical,high' # Fail build on these severities
REPORT_DIR: 'security-reports'
jobs:
# Job 1: Static Application Security Testing (SAST)
sast-scan:
name: SAST Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better analysis
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Run SAST Scanner
run: |
# Example: Using Semgrep for SAST
pip install semgrep
semgrep --config=auto \
--json \
--output ${{ env.REPORT_DIR }}/sast-results.json \
. || true
# Alternative: Bandit for Python projects
# pip install bandit
# bandit -r . -f json -o ${{ env.REPORT_DIR }}/bandit-results.json
- name: Process SAST Results
run: |
# Parse results and fail on critical/high severity
python3 -c "
import json
import sys
with open('${{ env.REPORT_DIR }}/sast-results.json') as f:
results = json.load(f)
critical = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'ERROR'])
high = len([r for r in results.get('results', []) if r.get('extra', {}).get('severity') == 'WARNING'])
print(f'Critical findings: {critical}')
print(f'High findings: {high}')
if critical > 0:
print('❌ Build failed: Critical security issues found')
sys.exit(1)
elif high > 0:
print('⚠️ Warning: High severity issues found')
# Optionally fail on high severity
# sys.exit(1)
else:
print('✅ No critical security issues found')
"
- name: Upload SAST Results
if: always()
uses: actions/upload-artifact@v4
with:
name: sast-results
path: ${{ env.REPORT_DIR }}/sast-results.json
retention-days: 30
# Job 2: Dependency Vulnerability Scanning
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Scan Python Dependencies
if: hashFiles('requirements.txt') != ''
run: |
pip install safety
safety check \
--json \
--output ${{ env.REPORT_DIR }}/safety-results.json \
|| true
- name: Scan Node Dependencies
if: hashFiles('package.json') != ''
run: |
npm audit --json > ${{ env.REPORT_DIR }}/npm-audit.json || true
- name: Process Dependency Results
run: |
# Check for critical vulnerabilities
if [ -f "${{ env.REPORT_DIR }}/safety-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/safety-results.json')); print(len([v for v in data.get('vulnerabilities', []) if v.get('severity', '').lower() == 'critical']))")
echo "Critical vulnerabilities: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "❌ Build failed: Critical vulnerabilities in dependencies"
exit 1
fi
fi
- name: Upload Dependency Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 3: Secrets Detection
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history to scan all commits
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_SUMMARY: true
- name: Alternative - TruffleHog Scan
if: false # Set to true to enable
run: |
pip install truffleHog
trufflehog --json --regex --entropy=True . \
> ${{ env.REPORT_DIR }}/trufflehog-results.json || true
- name: Upload Secrets Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: secrets-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 4: Container Image Scanning
container-scan:
name: Container Image Security Scan
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker Image
run: |
docker build -t app:${{ github.sha }} .
- name: Run Trivy Scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: app:${{ github.sha }}
format: 'sarif'
output: '${{ env.REPORT_DIR }}/trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy Results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '${{ env.REPORT_DIR }}/trivy-results.sarif'
- name: Upload Container Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: container-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 5: Infrastructure-as-Code Security Scanning
iac-scan:
name: IaC Security Scan
runs-on: ubuntu-latest
if: hashFiles('**/*.tf', '**/*.yaml', '**/*.yml') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov
run: |
pip install checkov
checkov -d . \
--output json \
--output-file ${{ env.REPORT_DIR }}/checkov-results.json \
--quiet \
|| true
- name: Run tfsec (for Terraform)
if: hashFiles('**/*.tf') != ''
run: |
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
tfsec . \
--format json \
--out ${{ env.REPORT_DIR }}/tfsec-results.json \
|| true
- name: Process IaC Results
run: |
# Fail on critical findings
if [ -f "${{ env.REPORT_DIR }}/checkov-results.json" ]; then
critical_count=$(python3 -c "import json; data=json.load(open('${{ env.REPORT_DIR }}/checkov-results.json')); print(data.get('summary', {}).get('failed', 0))")
echo "Failed checks: $critical_count"
if [ "$critical_count" -gt "0" ]; then
echo "⚠️ Warning: IaC security issues found"
# Optionally fail the build
# exit 1
fi
fi
- name: Upload IaC Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: iac-scan-results
path: ${{ env.REPORT_DIR }}/
retention-days: 30
# Job 6: Security Report Generation and Notification
security-report:
name: Generate Security Report
runs-on: ubuntu-latest
needs: [sast-scan, dependency-scan, secrets-scan]
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download All Scan Results
uses: actions/download-artifact@v4
with:
path: all-results/
- name: Generate Consolidated Report
run: |
# Consolidate all security scan results
mkdir -p consolidated-report
cat > consolidated-report/security-summary.md << 'EOF'
# Security Scan Summary
**Scan Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
**Commit**: ${{ github.sha }}
**Branch**: ${{ github.ref_name }}
## Scan Results
### SAST Scan
See artifacts: `sast-results`
### Dependency Scan
See artifacts: `dependency-scan-results`
### Secrets Scan
See artifacts: `secrets-scan-results`
### Container Scan
See artifacts: `container-scan-results`
### IaC Scan
See artifacts: `iac-scan-results`
---
For detailed results, download scan artifacts from this workflow run.
EOF
- name: Comment on PR (if applicable)
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('consolidated-report/security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: report
});
- name: Upload Consolidated Report
if: always()
uses: actions/upload-artifact@v4
with:
name: consolidated-security-report
path: consolidated-report/
retention-days: 90
# Security Best Practices Demonstrated:
#
# 1. ✅ Minimal permissions (principle of least privilege)
# 2. ✅ Multiple security scan types (defense in depth)
# 3. ✅ Fail-fast on critical findings
# 4. ✅ Secrets detection across full git history
# 5. ✅ Container image scanning before deployment
# 6. ✅ IaC scanning for misconfigurations
# 7. ✅ Artifact retention for compliance audit trail
# 8. ✅ SARIF format for GitHub Security integration
# 9. ✅ Scheduled scans for continuous monitoring
# 10. ✅ PR comments for developer feedback
#
# Compliance Mappings:
# - SOC 2: CC6.1, CC6.6, CC7.2 (Security monitoring and logging)
# - PCI-DSS: 6.2, 6.5 (Secure development practices)
# - NIST: SA-11 (Developer Security Testing)
# - OWASP: Integrated security testing throughout SDLC

192
skills/appsec/dast-nuclei/assets/github_actions.yml Normal file
View File

@@ -0,0 +1,192 @@
# GitHub Actions Workflow for Nuclei Security Scanning
# Place this file in .github/workflows/nuclei-scan.yml
name: Nuclei Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
target_url:
description: 'Target URL to scan'
required: true
default: 'https://staging.example.com'
severity:
description: 'Severity levels (comma-separated)'
required: false
default: 'critical,high'
env:
# Default target URL (override with workflow_dispatch input)
TARGET_URL: https://staging.example.com
# Severity levels to scan
SEVERITY: critical,high
# Template tags to use
TEMPLATE_TAGS: cve,owasp,misconfig
jobs:
nuclei-scan:
name: Nuclei Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Run Nuclei Scan
id: nuclei
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ github.event.inputs.target_url || env.TARGET_URL }}
severity: ${{ github.event.inputs.severity || env.SEVERITY }}
templates: ${{ env.TEMPLATE_TAGS }}
output: nuclei-results.jsonl
- name: Parse Nuclei Results
if: always()
run: |
# Install dependencies (if using custom parser)
# pip install -r requirements.txt
# Parse results and generate HTML report
if [ -f nuclei-results.jsonl ]; then
echo "Parsing Nuclei results..."
python3 scripts/parse_nuclei_results.py \
--input nuclei-results.jsonl \
--output nuclei-report.html \
--format html
# Count findings by severity
CRITICAL=$(grep -c '"severity":"critical"' nuclei-results.jsonl || echo 0)
HIGH=$(grep -c '"severity":"high"' nuclei-results.jsonl || echo 0)
TOTAL=$(wc -l < nuclei-results.jsonl)
echo "## Nuclei Scan Results" >> $GITHUB_STEP_SUMMARY
echo "- **Total Findings**: $TOTAL" >> $GITHUB_STEP_SUMMARY
echo "- **Critical**: $CRITICAL" >> $GITHUB_STEP_SUMMARY
echo "- **High**: $HIGH" >> $GITHUB_STEP_SUMMARY
# Set outputs
echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
echo "high=$HIGH" >> $GITHUB_OUTPUT
echo "total=$TOTAL" >> $GITHUB_OUTPUT
else
echo "No findings detected" >> $GITHUB_STEP_SUMMARY
echo "critical=0" >> $GITHUB_OUTPUT
echo "high=0" >> $GITHUB_OUTPUT
echo "total=0" >> $GITHUB_OUTPUT
fi
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: nuclei.sarif
category: nuclei
- name: Upload Artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: nuclei-scan-results
path: |
nuclei-results.jsonl
nuclei-report.html
nuclei.sarif
retention-days: 30
- name: Comment on PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
with:
script: |
const critical = '${{ steps.nuclei.outputs.critical || 0 }}';
const high = '${{ steps.nuclei.outputs.high || 0 }}';
const total = '${{ steps.nuclei.outputs.total || 0 }}';
const body = `## 🔒 Nuclei Security Scan Results
| Severity | Count |
|----------|-------|
| Critical | ${critical} |
| High | ${high} |
| **Total** | **${total}** |
${critical > 0 ? '⚠️ **Critical vulnerabilities detected!**' : ''}
${high > 0 ? '⚠️ High severity vulnerabilities detected.' : ''}
View detailed results in the [workflow artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}).`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
- name: Fail on Critical Findings
if: steps.nuclei.outputs.critical > 0
run: |
echo "::error::Critical vulnerabilities detected!"
exit 1
- name: Notify on Slack
if: failure() && steps.nuclei.outputs.critical > 0
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "🚨 Critical vulnerabilities detected in ${{ github.repository }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Critical Security Vulnerabilities Detected*\n\n*Repository:* ${{ github.repository }}\n*Branch:* ${{ github.ref_name }}\n*Critical Findings:* ${{ steps.nuclei.outputs.critical }}\n*High Findings:* ${{ steps.nuclei.outputs.high }}\n\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Scan Results>"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# Optional: Separate job for authenticated scanning
nuclei-authenticated-scan:
name: Nuclei Authenticated Scan
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # Only run on main branch
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Authenticated Scan
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ env.TARGET_URL }}
severity: critical,high
templates: cve,owasp
# Add authentication headers from secrets
headers: |
Authorization: Bearer ${{ secrets.API_TOKEN }}
Cookie: session=${{ secrets.SESSION_COOKIE }}
output: nuclei-auth-results.jsonl
- name: Upload Authenticated Results
if: always()
uses: actions/upload-artifact@v4
with:
name: nuclei-authenticated-scan-results
path: nuclei-auth-results.jsonl
retention-days: 30

225
skills/appsec/dast-nuclei/assets/nuclei_config.yaml Normal file
View File

@@ -0,0 +1,225 @@
# Nuclei Configuration File
# Save as ~/.config/nuclei/config.yaml or specify with -config flag
# Template configuration
templates:
# Auto-update templates on each run
update-templates: true
# Template directory (default: ~/.nuclei-templates/)
# templates-directory: /custom/path/to/templates
# Custom template paths
# custom-templates:
# - /path/to/custom/templates/
# - /path/to/organization/templates/
# Scan configuration
severity:
- critical
- high
# - medium
# - low
# - info
# Rate limiting (requests per second)
rate-limit: 50
# Concurrency (parallel template execution)
concurrency: 10
# Bulk size (parallel host scanning)
bulk-size: 10
# Timeout per request (seconds)
timeout: 10
# Retries for failed requests
retries: 1
# HTTP configuration
http:
# User agent
user-agent: "Mozilla/5.0 (compatible; Nuclei/3.0)"
# Follow redirects
follow-redirects: true
# Max redirects to follow
max-redirects: 3
# Custom headers (applied to all requests)
# headers:
# - "X-Custom-Header: value"
# - "Authorization: Bearer token"
# Proxy configuration
# proxy: http://proxy.example.com:8080
# proxy-socks: socks5://proxy.example.com:1080
# Network configuration
network:
# Disable SSL/TLS verification (use with caution)
# disable-ssl-verification: false
# Enable HTTP/2
# disable-http2: false
# Output configuration
output:
# Silent mode (only show findings)
silent: false
# Verbose mode (detailed output)
verbose: false
# No color output
no-color: false
# JSON output
json: false
# JSONL output (one JSON per line)
jsonl: true
# SARIF output
# sarif: true
# Markdown output
# markdown: false
# Filtering configuration
filters:
# Exclude templates by ID
# exclude-ids:
# - template-id-1
# - template-id-2
# Exclude templates by tag
# exclude-tags:
# - tech
# - info
# Exclude severity levels
# exclude-severity:
# - info
# Include only specific tags
# tags:
# - cve
# - owasp
# Include only specific templates
# include-templates:
# - /path/to/template.yaml
# Performance tuning
performance:
# Maximum number of templates to run
# max-templates: 1000
# Maximum number of hosts to scan
# max-hosts: 10000
# Memory optimization (reduces memory usage)
# stream: true
# Disable update check
# disable-update-check: false
# CI/CD specific settings
ci:
# Fail on findings (exit code 1 if vulnerabilities found)
# fail-on-severity:
# - critical
# - high
# No interactive prompts
# no-interaction: true
# Suppress progress bars
# no-progress: true
# Authentication configuration
authentication:
# For authenticated scanning, use headers or custom authentication scripts
# See authentication_patterns.md reference for details
# Example: Bearer token authentication
# headers:
# - "Authorization: Bearer ${API_TOKEN}"
# Example: Cookie-based authentication
# headers:
# - "Cookie: session=${SESSION_COOKIE}"
# Reporting configuration
reporting:
# Report directory
# report-directory: ./nuclei-reports
# Report format
# report-format: json
# Include timestamp in filenames
# include-timestamp: true
# Advanced configuration
advanced:
# Follow host redirects (allow redirects to different hosts)
# follow-host-redirects: false
# Maximum response body size to read (in KB)
# max-response-size: 10240
# Include request/response in output
# include-rr: false
# Store response
# store-response: false
# Store response directory
# store-response-dir: ./responses/
# Exclude configuration (global exclusions)
exclude:
# Exclude specific hosts
# hosts:
# - https://safe-domain.com
# - https://third-party.com
# Exclude URL patterns (regex)
# urls:
# - ".*\\.js$"
# - ".*\\.css$"
# - ".*logout.*"
# Interactsh configuration (for OAST testing)
interactsh:
# Enable interactsh
# enable: true
# Custom interactsh server
# server: https://interact.sh
# Disable automatic polling
# disable-polling: false
# Cloud configuration (for cloud-specific templates)
cloud:
# Enable cloud metadata service checks
# enable-metadata: true
# Debug configuration
debug:
# Enable debug mode
# enable: false
# Debug requests
# debug-req: false
# Debug responses
# debug-resp: false
# Example usage:
# nuclei -u https://target.com -config nuclei_config.yaml

355
skills/appsec/dast-nuclei/assets/rule-template.yaml Normal file
View File

@@ -0,0 +1,355 @@
# Security Rule Template
#
# This template demonstrates how to structure security rules/policies.
# Adapt this template to your specific security tool (Semgrep, OPA, etc.)
#
# Rule Structure Best Practices:
# - Clear rule ID and metadata
# - Severity classification
# - Framework mappings (OWASP, CWE)
# - Remediation guidance
# - Example vulnerable and fixed code
rules:
# Example Rule 1: SQL Injection Detection
- id: sql-injection-string-concatenation
metadata:
name: "SQL Injection via String Concatenation"
description: "Detects potential SQL injection vulnerabilities from string concatenation in SQL queries"
severity: "HIGH"
category: "security"
subcategory: "injection"
# Security Framework Mappings
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-89: SQL Injection"
mitre_attack:
- "T1190: Exploit Public-Facing Application"
# Compliance Standards
compliance:
- "PCI-DSS 6.5.1: Injection flaws"
- "NIST 800-53 SI-10: Information Input Validation"
# Confidence and Impact
confidence: "HIGH"
likelihood: "HIGH"
impact: "HIGH"
# References
references:
- "https://owasp.org/www-community/attacks/SQL_Injection"
- "https://cwe.mitre.org/data/definitions/89.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"
# Languages this rule applies to
languages:
- python
- javascript
- java
- go
# Detection Pattern (example using Semgrep-style syntax)
pattern-either:
- pattern: |
cursor.execute($SQL + $VAR)
- pattern: |
cursor.execute(f"... {$VAR} ...")
- pattern: |
cursor.execute("..." + $VAR + "...")
# What to report when found
message: |
Potential SQL injection vulnerability detected. SQL query is constructed using
string concatenation or f-strings with user input. This allows attackers to
inject malicious SQL code.
Use parameterized queries instead:
- Python: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
- JavaScript: db.query("SELECT * FROM users WHERE id = $1", [userId])
See: https://owasp.org/www-community/attacks/SQL_Injection
# Suggested fix (auto-fix if supported)
fix: |
Use parameterized queries with placeholders
# Example vulnerable code
examples:
- vulnerable: |
# Vulnerable: String concatenation
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
- fixed: |
# Fixed: Parameterized query
user_id = request.GET['id']
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
# Example Rule 2: Hardcoded Secrets Detection
- id: hardcoded-secret-credential
metadata:
name: "Hardcoded Secret or Credential"
description: "Detects hardcoded secrets, API keys, passwords, or tokens in source code"
severity: "CRITICAL"
category: "security"
subcategory: "secrets"
owasp:
- "A07:2021 - Identification and Authentication Failures"
cwe:
- "CWE-798: Use of Hard-coded Credentials"
- "CWE-259: Use of Hard-coded Password"
compliance:
- "PCI-DSS 8.2.1: Use of strong cryptography"
- "SOC 2 CC6.1: Logical access controls"
- "GDPR Article 32: Security of processing"
confidence: "MEDIUM"
likelihood: "HIGH"
impact: "CRITICAL"
references:
- "https://cwe.mitre.org/data/definitions/798.html"
- "https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password"
languages:
- python
- javascript
- java
- go
- ruby
pattern-either:
- pattern: |
password = "..."
- pattern: |
api_key = "..."
- pattern: |
secret = "..."
- pattern: |
token = "..."
pattern-not: |
$VAR = ""
message: |
Potential hardcoded secret detected. Hardcoding credentials in source code
is a critical security vulnerability that can lead to unauthorized access
if the code is exposed.
Use environment variables or a secrets management system instead:
- Python: os.environ.get('API_KEY')
- Node.js: process.env.API_KEY
- Secrets Manager: AWS Secrets Manager, HashiCorp Vault, etc.
See: https://cwe.mitre.org/data/definitions/798.html
examples:
- vulnerable: |
# Vulnerable: Hardcoded API key
api_key = "sk-1234567890abcdef"
api.authenticate(api_key)
- fixed: |
# Fixed: Environment variable
import os
api_key = os.environ.get('API_KEY')
if not api_key:
raise ValueError("API_KEY environment variable not set")
api.authenticate(api_key)
# Example Rule 3: XSS via Unsafe HTML Rendering
- id: xss-unsafe-html-rendering
metadata:
name: "Cross-Site Scripting (XSS) via Unsafe HTML"
description: "Detects unsafe HTML rendering that could lead to XSS vulnerabilities"
severity: "HIGH"
category: "security"
subcategory: "xss"
owasp:
- "A03:2021 - Injection"
cwe:
- "CWE-79: Cross-site Scripting (XSS)"
- "CWE-80: Improper Neutralization of Script-Related HTML Tags"
compliance:
- "PCI-DSS 6.5.7: Cross-site scripting"
- "NIST 800-53 SI-10: Information Input Validation"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://owasp.org/www-community/attacks/xss/"
- "https://cwe.mitre.org/data/definitions/79.html"
- "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
languages:
- javascript
- typescript
- jsx
- tsx
pattern-either:
- pattern: |
dangerouslySetInnerHTML={{__html: $VAR}}
- pattern: |
innerHTML = $VAR
message: |
Potential XSS vulnerability detected. Setting HTML content directly from
user input without sanitization can allow attackers to inject malicious
JavaScript code.
Use one of these safe alternatives:
- React: Use {userInput} for automatic escaping
- DOMPurify: const clean = DOMPurify.sanitize(dirty);
- Framework-specific sanitizers
See: https://owasp.org/www-community/attacks/xss/
examples:
- vulnerable: |
// Vulnerable: Unsanitized HTML
function UserComment({ comment }) {
return <div dangerouslySetInnerHTML={{__html: comment}} />;
}
- fixed: |
// Fixed: Sanitized with DOMPurify
import DOMPurify from 'dompurify';
function UserComment({ comment }) {
const sanitized = DOMPurify.sanitize(comment);
return <div dangerouslySetInnerHTML={{__html: sanitized}} />;
}
# Example Rule 4: Insecure Cryptography
- id: weak-cryptographic-algorithm
metadata:
name: "Weak Cryptographic Algorithm"
description: "Detects use of weak or deprecated cryptographic algorithms"
severity: "HIGH"
category: "security"
subcategory: "cryptography"
owasp:
- "A02:2021 - Cryptographic Failures"
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
- "CWE-326: Inadequate Encryption Strength"
compliance:
- "PCI-DSS 4.1: Use strong cryptography"
- "NIST 800-53 SC-13: Cryptographic Protection"
- "GDPR Article 32: Security of processing"
confidence: "HIGH"
likelihood: "MEDIUM"
impact: "HIGH"
references:
- "https://cwe.mitre.org/data/definitions/327.html"
- "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/"
languages:
- python
- javascript
- java
pattern-either:
- pattern: |
hashlib.md5(...)
- pattern: |
hashlib.sha1(...)
- pattern: |
crypto.createHash('md5')
- pattern: |
crypto.createHash('sha1')
message: |
Weak cryptographic algorithm detected (MD5 or SHA1). These algorithms are
considered cryptographically broken and should not be used for security purposes.
Use strong alternatives:
- For hashing: SHA-256, SHA-384, or SHA-512
- For password hashing: bcrypt, argon2, or PBKDF2
- Python: hashlib.sha256()
- Node.js: crypto.createHash('sha256')
See: https://cwe.mitre.org/data/definitions/327.html
examples:
- vulnerable: |
# Vulnerable: MD5 hash
import hashlib
hash_value = hashlib.md5(data).hexdigest()
- fixed: |
# Fixed: SHA-256 hash
import hashlib
hash_value = hashlib.sha256(data).hexdigest()
# Rule Configuration
configuration:
# Global settings
enabled: true
severity_threshold: "MEDIUM" # Report findings at MEDIUM severity and above
# Performance tuning
max_file_size_kb: 1024
exclude_patterns:
- "test/*"
- "tests/*"
- "node_modules/*"
- "vendor/*"
- "*.min.js"
# False positive reduction
confidence_threshold: "MEDIUM" # Only report findings with MEDIUM confidence or higher
# Rule Metadata Schema
# This section documents the expected structure for rules
metadata_schema:
required:
- id: "Unique identifier for the rule (kebab-case)"
- name: "Human-readable rule name"
- description: "What the rule detects"
- severity: "CRITICAL | HIGH | MEDIUM | LOW | INFO"
- category: "security | best-practice | performance"
optional:
- subcategory: "Specific type (injection, xss, secrets, etc.)"
- owasp: "OWASP Top 10 mappings"
- cwe: "CWE identifier(s)"
- mitre_attack: "MITRE ATT&CK technique(s)"
- compliance: "Compliance standard references"
- confidence: "Detection confidence level"
- likelihood: "Likelihood of exploitation"
- impact: "Potential impact if exploited"
- references: "External documentation links"
# Usage Instructions:
#
# 1. Copy this template when creating new security rules
# 2. Update metadata fields with appropriate framework mappings
# 3. Customize detection patterns for your tool (Semgrep, OPA, etc.)
# 4. Provide clear remediation guidance in the message field
# 5. Include both vulnerable and fixed code examples
# 6. Test rules on real codebases before deployment
#
# Best Practices:
# - Map to multiple frameworks (OWASP, CWE, MITRE ATT&CK)
# - Include compliance standard references
# - Provide actionable remediation guidance
# - Show code examples (vulnerable vs. fixed)
# - Tune confidence levels to reduce false positives
# - Exclude test directories to reduce noise

550
skills/appsec/dast-nuclei/references/EXAMPLE.md Normal file
View File

@@ -0,0 +1,550 @@
# Reference Document Template
This file demonstrates how to structure detailed reference material that Claude loads on-demand.
**When to use this reference**: Include a clear statement about when Claude should consult this document.
For example: "Consult this reference when analyzing Python code for security vulnerabilities and needing detailed remediation patterns."
**Document purpose**: Briefly explain what this reference provides that's not in SKILL.md.
---
## Table of Contents
**For documents >100 lines, always include a table of contents** to help Claude navigate quickly.
- [When to Use References](#when-to-use-references)
- [Document Organization](#document-organization)
- [Detailed Technical Content](#detailed-technical-content)
- [Security Framework Mappings](#security-framework-mappings)
- [OWASP Top 10](#owasp-top-10)
- [CWE Mappings](#cwe-mappings)
- [MITRE ATT&CK](#mitre-attck)
- [Remediation Patterns](#remediation-patterns)
- [Advanced Configuration](#advanced-configuration)
- [Examples and Code Samples](#examples-and-code-samples)
---
## When to Use References
**Move content from SKILL.md to references/** when:
1. **Content exceeds 100 lines** - Keep SKILL.md concise
2. **Framework-specific details** - Detailed OWASP/CWE/MITRE mappings
3. **Advanced user content** - Deep technical details for expert users
4. **Lookup-oriented content** - Rule libraries, configuration matrices, comprehensive lists
5. **Language-specific patterns** - Separate files per language/framework
6. **Historical context** - Old patterns and deprecated approaches
**Keep in SKILL.md**:
- Core workflows (top 3-5 use cases)
- Decision points and branching logic
- Quick start guidance
- Essential security considerations
---
## Document Organization
### Structure for Long Documents
For references >100 lines:
```markdown
# Title
**When to use**: Clear trigger statement
**Purpose**: What this provides
## Table of Contents
- Links to all major sections
## Quick Reference
- Key facts or commands for fast lookup
## Detailed Content
- Comprehensive information organized logically
## Framework Mappings
- OWASP, CWE, MITRE ATT&CK references
## Examples
- Code samples and patterns
```
### Section Naming Conventions
- Use **imperative** or **declarative** headings
- ✅ "Detecting SQL Injection" not "How to detect SQL Injection"
- ✅ "Common Patterns" not "These are common patterns"
- Make headings **searchable** and **specific**
---
## Detailed Technical Content
This section demonstrates the type of detailed content that belongs in references rather than SKILL.md.
### Example: Comprehensive Vulnerability Detection
#### SQL Injection Detection Patterns
**Pattern 1: String Concatenation in Queries**
```python
# Vulnerable pattern
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
# Detection criteria:
# - SQL keyword (SELECT, INSERT, UPDATE, DELETE)
# - String concatenation operator (+, f-string)
# - Variable user input (request params, form data)
# Severity: HIGH
# CWE: CWE-89
# OWASP: A03:2021 - Injection
```
**Remediation**:
```python
# Fixed: Parameterized query
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
# OR using ORM
user = User.objects.get(id=user_id)
```
**Pattern 2: Unsafe String Formatting**
```python
# Vulnerable patterns
query = f"SELECT * FROM users WHERE name = '{username}'"
query = "SELECT * FROM users WHERE name = '%s'" % username
query = "SELECT * FROM users WHERE name = '{}'".format(username)
# All three patterns are vulnerable to SQL injection
```
#### Cross-Site Scripting (XSS) Detection
**Pattern 1: Unescaped Output in Templates**
```javascript
// Vulnerable: Direct HTML injection
element.innerHTML = userInput;
document.write(userInput);
// Vulnerable: React dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{__html: userComment}} />
// Detection criteria:
# - Direct DOM manipulation (innerHTML, document.write)
# - React dangerouslySetInnerHTML with user data
# - Template engines with autoescaping disabled
// Severity: HIGH
// CWE: CWE-79
// OWASP: A03:2021 - Injection
```
**Remediation**:
```javascript
// Fixed: Escaped output
element.textContent = userInput; // Auto-escapes
// Fixed: Sanitization library
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userComment);
<div dangerouslySetInnerHTML={{__html: clean}} />
```
---
## Security Framework Mappings
This section provides comprehensive security framework mappings for findings.
### OWASP Top 10
Map security findings to OWASP Top 10 (2021) categories:
| Category | Title | Common Vulnerabilities |
|----------|-------|----------------------|
| **A01:2021** | Broken Access Control | Authorization bypass, privilege escalation, IDOR |
| **A02:2021** | Cryptographic Failures | Weak crypto, plaintext storage, insecure TLS |
| **A03:2021** | Injection | SQL injection, XSS, command injection, LDAP injection |
| **A04:2021** | Insecure Design | Missing security controls, threat modeling gaps |
| **A05:2021** | Security Misconfiguration | Default configs, verbose errors, unnecessary features |
| **A06:2021** | Vulnerable Components | Outdated libraries, unpatched dependencies |
| **A07:2021** | Auth & Session Failures | Weak passwords, session fixation, missing MFA |
| **A08:2021** | Software & Data Integrity | Unsigned updates, insecure CI/CD, deserialization |
| **A09:2021** | Logging & Monitoring Failures | Insufficient logging, no alerting, log injection |
| **A10:2021** | SSRF | Server-side request forgery, unvalidated redirects |
**Usage**: When reporting findings, map to primary OWASP category and reference the identifier (e.g., "A03:2021 - Injection").
### CWE Mappings
Map to relevant Common Weakness Enumeration categories for precise vulnerability classification:
#### Injection Vulnerabilities
- **CWE-78**: OS Command Injection
- **CWE-79**: Cross-site Scripting (XSS)
- **CWE-89**: SQL Injection
- **CWE-90**: LDAP Injection
- **CWE-91**: XML Injection
- **CWE-94**: Code Injection
#### Authentication & Authorization
- **CWE-287**: Improper Authentication
- **CWE-288**: Authentication Bypass Using Alternate Path
- **CWE-290**: Authentication Bypass by Spoofing
- **CWE-294**: Authentication Bypass by Capture-replay
- **CWE-306**: Missing Authentication for Critical Function
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
- **CWE-352**: Cross-Site Request Forgery (CSRF)
#### Cryptographic Issues
- **CWE-256**: Plaintext Storage of Password
- **CWE-259**: Use of Hard-coded Password
- **CWE-261**: Weak Encoding for Password
- **CWE-321**: Use of Hard-coded Cryptographic Key
- **CWE-326**: Inadequate Encryption Strength
- **CWE-327**: Use of Broken or Risky Cryptographic Algorithm
- **CWE-329**: Not Using a Random IV with CBC Mode
- **CWE-798**: Use of Hard-coded Credentials
#### Input Validation
- **CWE-20**: Improper Input Validation
- **CWE-73**: External Control of File Name or Path
- **CWE-434**: Unrestricted Upload of File with Dangerous Type
- **CWE-601**: URL Redirection to Untrusted Site
#### Sensitive Data Exposure
- **CWE-200**: Information Exposure
- **CWE-209**: Information Exposure Through Error Message
- **CWE-312**: Cleartext Storage of Sensitive Information
- **CWE-319**: Cleartext Transmission of Sensitive Information
- **CWE-532**: Information Exposure Through Log Files
**Usage**: Include CWE identifier in all vulnerability reports for standardized classification.
### MITRE ATT&CK
Reference relevant tactics and techniques for threat context:
#### Initial Access (TA0001)
- **T1190**: Exploit Public-Facing Application
- **T1133**: External Remote Services
- **T1078**: Valid Accounts
#### Execution (TA0002)
- **T1059**: Command and Scripting Interpreter
- **T1203**: Exploitation for Client Execution
#### Persistence (TA0003)
- **T1098**: Account Manipulation
- **T1136**: Create Account
- **T1505**: Server Software Component
#### Privilege Escalation (TA0004)
- **T1068**: Exploitation for Privilege Escalation
- **T1548**: Abuse Elevation Control Mechanism
#### Defense Evasion (TA0005)
- **T1027**: Obfuscated Files or Information
- **T1140**: Deobfuscate/Decode Files or Information
- **T1562**: Impair Defenses
#### Credential Access (TA0006)
- **T1110**: Brute Force
- **T1555**: Credentials from Password Stores
- **T1552**: Unsecured Credentials
#### Discovery (TA0007)
- **T1083**: File and Directory Discovery
- **T1046**: Network Service Scanning
#### Collection (TA0009)
- **T1005**: Data from Local System
- **T1114**: Email Collection
#### Exfiltration (TA0010)
- **T1041**: Exfiltration Over C2 Channel
- **T1567**: Exfiltration Over Web Service
**Usage**: When identifying vulnerabilities, consider which ATT&CK techniques an attacker could use to exploit them.
---
## Remediation Patterns
This section provides specific remediation guidance for common vulnerability types.
### SQL Injection Remediation
**Step 1: Identify vulnerable queries**
- Search for string concatenation in SQL queries
- Check for f-strings or format() with SQL keywords
- Review all database interaction code
**Step 2: Apply parameterized queries**
```python
# Python with sqlite3
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
# Python with psycopg2 (PostgreSQL)
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# Python with SQLAlchemy (ORM)
from sqlalchemy import text
result = session.execute(text("SELECT * FROM users WHERE id = :id"), {"id": user_id})
```
**Step 3: Validate and sanitize input** (defense in depth)
```python
import re
# Validate input format
if not re.match(r'^\d+$', user_id):
raise ValueError("Invalid user ID format")
# Use ORM query builders
user = User.query.filter_by(id=user_id).first()
```
**Step 4: Implement least privilege**
- Database user should have minimum required permissions
- Use read-only accounts for SELECT operations
- Never use admin/root accounts for application queries
### XSS Remediation
**Step 1: Enable auto-escaping**
- Most modern frameworks escape by default
- Ensure auto-escaping is not disabled
**Step 2: Use framework-specific safe methods**
```javascript
// React: Use JSX (auto-escapes)
<div>{userInput}</div>
// Vue: Use template syntax (auto-escapes)
<div>{{ userInput }}</div>
// Angular: Use property binding (auto-escapes)
<div [textContent]="userInput"></div>
```
**Step 3: Sanitize when HTML is required**
```javascript
import DOMPurify from 'dompurify';
// Sanitize HTML content
const clean = DOMPurify.sanitize(userHTML, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
});
```
**Step 4: Content Security Policy (CSP)**
```html
<!-- Add CSP header -->
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'
```
---
## Advanced Configuration
This section contains detailed configuration options and tuning parameters.
### Example: SAST Tool Configuration
```yaml
# Advanced security scanner configuration
scanner:
# Severity threshold
severity_threshold: MEDIUM
# Rule configuration
rules:
enabled:
- sql-injection
- xss
- hardcoded-secrets
disabled:
- informational-only
# False positive reduction
confidence_threshold: HIGH
exclude_patterns:
- "*/test/*"
- "*/tests/*"
- "*/node_modules/*"
- "*.test.js"
- "*.spec.ts"
# Performance tuning
max_file_size_kb: 2048
timeout_seconds: 300
parallel_jobs: 4
# Output configuration
output_format: json
include_code_snippets: true
max_snippet_lines: 10
```
---
## Examples and Code Samples
This section provides comprehensive code examples for various scenarios.
### Example 1: Secure API Authentication
```python
# Secure API key handling
import os
from functools import wraps
from flask import Flask, request, jsonify
app = Flask(__name__)
# Load API key from environment (never hardcode)
VALID_API_KEY = os.environ.get('API_KEY')
if not VALID_API_KEY:
raise ValueError("API_KEY environment variable not set")
def require_api_key(f):
@wraps(f)
def decorated_function(*args, **kwargs):
api_key = request.headers.get('X-API-Key')
if not api_key:
return jsonify({'error': 'API key required'}), 401
# Constant-time comparison to prevent timing attacks
import hmac
if not hmac.compare_digest(api_key, VALID_API_KEY):
return jsonify({'error': 'Invalid API key'}), 403
return f(*args, **kwargs)
return decorated_function
@app.route('/api/secure-endpoint')
@require_api_key
def secure_endpoint():
return jsonify({'message': 'Access granted'})
```
### Example 2: Secure Password Hashing
```python
# Secure password storage with bcrypt
import bcrypt
def hash_password(password: str) -> str:
"""Hash a password using bcrypt."""
# Generate salt and hash password
salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)
hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
return hashed.decode('utf-8')
def verify_password(password: str, hashed: str) -> bool:
"""Verify a password against a hash."""
return bcrypt.checkpw(
password.encode('utf-8'),
hashed.encode('utf-8')
)
# Usage
stored_hash = hash_password("user_password")
is_valid = verify_password("user_password", stored_hash) # True
```
### Example 3: Secure File Upload
```python
# Secure file upload with validation
import os
import magic
from werkzeug.utils import secure_filename
ALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}
ALLOWED_MIME_TYPES = {
'application/pdf',
'image/png',
'image/jpeg'
}
MAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB
def is_allowed_file(filename: str, file_content: bytes) -> bool:
"""Validate file extension and MIME type."""
# Check extension
if '.' not in filename:
return False
ext = filename.rsplit('.', 1)[1].lower()
if ext not in ALLOWED_EXTENSIONS:
return False
# Check MIME type (prevent extension spoofing)
mime = magic.from_buffer(file_content, mime=True)
if mime not in ALLOWED_MIME_TYPES:
return False
return True
def handle_upload(file):
"""Securely handle file upload."""
# Check file size
file.seek(0, os.SEEK_END)
size = file.tell()
file.seek(0)
if size > MAX_FILE_SIZE:
raise ValueError("File too large")
# Read content for validation
content = file.read()
file.seek(0)
# Validate file type
if not is_allowed_file(file.filename, content):
raise ValueError("Invalid file type")
# Sanitize filename
filename = secure_filename(file.filename)
# Generate unique filename to prevent overwrite attacks
import uuid
unique_filename = f"{uuid.uuid4()}_{filename}"
# Save to secure location (outside web root)
upload_path = os.path.join('/secure/uploads', unique_filename)
file.save(upload_path)
return unique_filename
```
---
## Best Practices for Reference Documents
1. **Start with "When to use"** - Help Claude know when to load this reference
2. **Include table of contents** - For documents >100 lines
3. **Use concrete examples** - Code samples with vulnerable and fixed versions
4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context
5. **Provide remediation** - Don't just identify issues, show how to fix them
6. **Organize logically** - Group related content, use clear headings
7. **Keep examples current** - Use modern patterns and current framework versions
8. **Be concise** - Even in references, challenge every sentence

253
skills/appsec/dast-nuclei/references/WORKFLOW_CHECKLIST.md Normal file
View File

@@ -0,0 +1,253 @@
# Workflow Checklist Template
This template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.
## Pattern 1: Sequential Workflow Checklist
Use this pattern for operations that must be completed in order, step-by-step.
### Security Assessment Workflow
Progress:
[ ] 1. Identify application entry points and attack surface
[ ] 2. Map authentication and authorization flows
[ ] 3. Identify data flows and sensitive data handling
[ ] 4. Review existing security controls
[ ] 5. Document findings with framework references (OWASP, CWE)
[ ] 6. Prioritize findings by severity (CVSS scores)
[ ] 7. Generate report with remediation recommendations
Work through each step systematically. Check off completed items.
---
## Pattern 2: Conditional Workflow
Use this pattern when the workflow branches based on findings or conditions.
### Vulnerability Remediation Workflow
1. Identify vulnerability type
- If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)
- If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)
- If Authentication flaw → See [auth-remediation.md](auth-remediation.md)
- If Authorization flaw → See [authz-remediation.md](authz-remediation.md)
- If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)
2. Assess severity using CVSS calculator
- If CVSS >= 9.0 → Priority: Critical (immediate action)
- If CVSS 7.0-8.9 → Priority: High (action within 24h)
- If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)
- If CVSS < 4.0 → Priority: Low (action within 30 days)
3. Apply appropriate remediation pattern
4. Validate fix with security testing
5. Document changes and update security documentation
---
## Pattern 3: Iterative Workflow
Use this pattern for operations that repeat across multiple targets or items.
### Code Security Review Workflow
For each file in the review scope:
1. Identify security-sensitive operations (auth, data access, crypto, input handling)
2. Check against secure coding patterns for the language
3. Flag potential vulnerabilities with severity rating
4. Map findings to CWE and OWASP categories
5. Suggest specific remediation approaches
6. Document finding with code location and fix priority
Continue until all files in scope have been reviewed.
---
## Pattern 4: Feedback Loop Workflow
Use this pattern when validation and iteration are required.
### Secure Configuration Generation Workflow
1. Generate initial security configuration based on requirements
2. Run validation script: `./scripts/validate_config.py config.yaml`
3. Review validation output:
- Note all errors (must fix)
- Note all warnings (should fix)
- Note all info items (consider)
4. Fix identified issues in configuration
5. Repeat steps 2-4 until validation passes with zero errors
6. Review warnings and determine if they should be addressed
7. Apply configuration once validation is clean
**Validation Loop**: Run validator → Fix errors → Repeat until clean
---
## Pattern 5: Parallel Analysis Workflow
Use this pattern when multiple independent analyses can run concurrently.
### Comprehensive Security Scan Workflow
Run these scans in parallel:
**Static Analysis**:
[ ] 1a. Run SAST scan (Semgrep/Bandit)
[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)
[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)
[ ] 1d. Run license compliance check
**Dynamic Analysis**:
[ ] 2a. Run DAST scan (ZAP/Burp)
[ ] 2b. Run API security testing
[ ] 2c. Run authentication/authorization testing
**Infrastructure Analysis**:
[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)
[ ] 3b. Run container image scan (Trivy/Grype)
[ ] 3c. Run configuration review
**Consolidation**:
[ ] 4. Aggregate all findings
[ ] 5. Deduplicate and correlate findings
[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)
[ ] 7. Generate unified security report
---
## Pattern 6: Research and Documentation Workflow
Use this pattern for security research and documentation tasks.
### Threat Modeling Workflow
Research Progress:
[ ] 1. Identify system components and boundaries
[ ] 2. Map data flows between components
[ ] 3. Identify trust boundaries
[ ] 4. Enumerate assets (data, services, credentials)
[ ] 5. Apply STRIDE framework to each component:
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
[ ] 6. Map threats to MITRE ATT&CK techniques
[ ] 7. Identify existing mitigations
[ ] 8. Document residual risks
[ ] 9. Recommend additional security controls
[ ] 10. Generate threat model document
Work through each step systematically. Check off completed items.
---
## Pattern 7: Compliance Validation Workflow
Use this pattern for compliance checks against security standards.
### Security Compliance Audit Workflow
**SOC 2 Controls Review**:
[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)
[ ] 2. Verify logical access controls implementation (CC6.1)
[ ] 3. Review authentication mechanisms (CC6.1)
[ ] 4. Verify encryption implementation (CC6.1, CC6.7)
[ ] 5. Review audit logging configuration (CC7.2)
[ ] 6. Verify security monitoring (CC7.2, CC7.3)
[ ] 7. Review incident response procedures (CC7.3, CC7.4)
[ ] 8. Verify backup and recovery processes (A1.2, A1.3)
**Evidence Collection**:
[ ] 9. Collect policy documents
[ ] 10. Collect configuration screenshots
[ ] 11. Collect audit logs
[ ] 12. Document control gaps
[ ] 13. Generate compliance report
---
## Pattern 8: Incident Response Workflow
Use this pattern for security incident handling.
### Security Incident Response Workflow
**Detection and Analysis**:
[ ] 1. Confirm security incident (rule out false positive)
[ ] 2. Determine incident severity (SEV1/2/3/4)
[ ] 3. Identify affected systems and data
[ ] 4. Preserve evidence (logs, memory dumps, network captures)
**Containment**:
[ ] 5. Isolate affected systems (network segmentation)
[ ] 6. Disable compromised accounts
[ ] 7. Block malicious indicators (IPs, domains, hashes)
[ ] 8. Implement temporary compensating controls
**Eradication**:
[ ] 9. Identify root cause
[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)
[ ] 11. Patch vulnerabilities exploited
[ ] 12. Reset compromised credentials
**Recovery**:
[ ] 13. Restore systems from clean backups (if needed)
[ ] 14. Re-enable systems with monitoring
[ ] 15. Verify system integrity
[ ] 16. Resume normal operations
**Post-Incident**:
[ ] 17. Document incident timeline
[ ] 18. Identify lessons learned
[ ] 19. Update security controls to prevent recurrence
[ ] 20. Update incident response procedures
[ ] 21. Communicate with stakeholders
---
## Usage Guidelines
### When to Use Workflow Checklists
**Use checklists for**:
- Complex multi-step operations
- Operations requiring specific order
- Security assessments and audits
- Incident response procedures
- Compliance validation tasks
**Don't use checklists for**:
- Simple single-step operations
- Highly dynamic exploratory work
- Operations that vary significantly each time
### Adapting This Template
1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file
2. **Customize steps** to match your specific security tool or process
3. **Add framework references** (OWASP, CWE, NIST) where applicable
4. **Include tool-specific commands** for automation
5. **Add decision points** where manual judgment is required
### Checklist Best Practices
- **Be specific**: "Run semgrep --config=auto ." not "Scan the code"
- **Include success criteria**: "Validation passes with 0 errors"
- **Reference standards**: Link to OWASP, CWE, NIST where relevant
- **Show progress**: Checkbox format helps track completion
- **Provide escape hatches**: "If validation fails, see troubleshooting.md"
### Integration with Feedback Loops
Combine checklists with validation scripts for maximum effectiveness:
1. Create checklist for the workflow
2. Provide validation script that checks quality
3. Include "run validator" step in checklist
4. Loop: Complete step → Validate → Fix issues → Re-validate
This pattern dramatically improves output quality through systematic validation.

489
skills/appsec/dast-nuclei/references/authentication_patterns.md Normal file
View File

@@ -0,0 +1,489 @@
# Nuclei Authentication Patterns
## Table of Contents
- [Bearer Token Authentication](#bearer-token-authentication)
- [Cookie-Based Authentication](#cookie-based-authentication)
- [API Key Authentication](#api-key-authentication)
- [OAuth 2.0 Authentication](#oauth-20-authentication)
- [Custom Authentication Scripts](#custom-authentication-scripts)
- [Multi-Factor Authentication](#multi-factor-authentication)
## Bearer Token Authentication
### Basic Bearer Token
```bash
# Using header flag
nuclei -u https://api.target.com \
-header "Authorization: Bearer $AUTH_TOKEN" \
-severity critical,high
# Using environment variable
export AUTH_TOKEN="your-token-here"
nuclei -u https://api.target.com \
-header "Authorization: Bearer $AUTH_TOKEN"
```
### JWT Token with Refresh
```bash
# Initial authentication to get token
TOKEN=$(curl -X POST https://api.target.com/auth/login \
-d '{"username":"test","password":"test"}' \
-H "Content-Type: application/json" | jq -r '.access_token')
# Scan with token
nuclei -u https://api.target.com \
-header "Authorization: Bearer $TOKEN" \
-tags api,cve
# Refresh token if needed
REFRESH_TOKEN=$(curl -X POST https://api.target.com/auth/refresh \
-H "Authorization: Bearer $TOKEN" | jq -r '.access_token')
```
## Cookie-Based Authentication
### Session Cookie Authentication
```bash
# Login and extract session cookie
curl -c cookies.txt -X POST https://target-app.com/login \
-d "username=testuser&password=testpass"
# Extract cookie value
SESSION=$(grep session cookies.txt | awk '{print $7}')
# Scan with session cookie
nuclei -u https://target-app.com \
-header "Cookie: session=$SESSION" \
-severity critical,high
```
### Multiple Cookies
```bash
# Multiple cookies can be specified
nuclei -u https://target-app.com \
-header "Cookie: session=$SESSION; user_id=$USER_ID; csrf_token=$CSRF" \
-tags cve,owasp
```
## API Key Authentication
### Header-Based API Key
```bash
# API key in header
nuclei -u https://api.target.com \
-header "X-API-Key: $API_KEY" \
-tags api,exposure
# Multiple API authentication headers
nuclei -u https://api.target.com \
-header "X-API-Key: $API_KEY" \
-header "X-Client-ID: $CLIENT_ID" \
-tags api
```
### Query Parameter API Key
Create custom template for query parameter auth:
```yaml
id: api-scan-with-query-auth
info:
name: API Scan with Query Parameter Auth
author: security-team
severity: info
http:
- method: GET
path:
- "{{BaseURL}}/api/endpoint?api_key={{api_key}}"
payloads:
api_key:
- "{{env('API_KEY')}}"
```
## OAuth 2.0 Authentication
### Client Credentials Flow
```bash
# Get access token
ACCESS_TOKEN=$(curl -X POST https://auth.target.com/oauth/token \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-H "Content-Type: application/x-www-form-urlencoded" | jq -r '.access_token')
# Scan with OAuth token
nuclei -u https://api.target.com \
-header "Authorization: Bearer $ACCESS_TOKEN" \
-tags api,cve
```
### Authorization Code Flow
```bash
# Step 1: Manual authorization to get code
# Navigate to: https://auth.target.com/oauth/authorize?client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&response_type=code
# Step 2: Exchange code for token
AUTH_CODE="received-from-redirect"
ACCESS_TOKEN=$(curl -X POST https://auth.target.com/oauth/token \
-d "grant_type=authorization_code" \
-d "code=$AUTH_CODE" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-d "redirect_uri=$REDIRECT_URI" | jq -r '.access_token')
# Step 3: Scan
nuclei -u https://api.target.com \
-header "Authorization: Bearer $ACCESS_TOKEN"
```
### OAuth Token Refresh
```bash
#!/bin/bash
# oauth_refresh_scan.sh
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
REFRESH_TOKEN="your-refresh-token"
# Function to get fresh access token
get_access_token() {
curl -s -X POST https://auth.target.com/oauth/token \
-d "grant_type=refresh_token" \
-d "refresh_token=$REFRESH_TOKEN" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" | jq -r '.access_token'
}
# Get token and scan
ACCESS_TOKEN=$(get_access_token)
nuclei -u https://api.target.com \
-header "Authorization: Bearer $ACCESS_TOKEN" \
-tags api,cve,owasp
```
## Custom Authentication Scripts
### Form-Based Login Script
```python
#!/usr/bin/env python3
import requests
import subprocess
import sys
def login_and_get_session():
"""Login and return session cookie"""
session = requests.Session()
# Perform login
login_data = {
"username": "testuser",
"password": "testpassword"
}
response = session.post(
"https://target-app.com/login",
data=login_data
)
if response.status_code != 200:
print(f"Login failed: {response.status_code}", file=sys.stderr)
sys.exit(1)
# Extract session cookie
session_cookie = session.cookies.get("session")
return session_cookie
def run_nuclei_scan(session_cookie, target_url):
"""Run Nuclei with authenticated session"""
cmd = [
"nuclei",
"-u", target_url,
"-header", f"Cookie: session={session_cookie}",
"-severity", "critical,high",
"-tags", "cve,owasp"
]
result = subprocess.run(cmd)
return result.returncode
if __name__ == "__main__":
target = sys.argv[1] if len(sys.argv) > 1 else "https://target-app.com"
print("Authenticating...")
session = login_and_get_session()
print("Running Nuclei scan...")
exit_code = run_nuclei_scan(session, target)
sys.exit(exit_code)
```
### SAML Authentication
```python
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup
import subprocess
def saml_login(idp_url, username, password):
"""Perform SAML authentication flow"""
session = requests.Session()
# Step 1: Get SAML request from SP
sp_response = session.get("https://target-app.com/saml/login")
# Step 2: Submit credentials to IdP
soup = BeautifulSoup(sp_response.text, 'html.parser')
saml_request = soup.find('input', {'name': 'SAMLRequest'})['value']
idp_login = session.post(
idp_url,
data={
'username': username,
'password': password,
'SAMLRequest': saml_request
}
)
# Step 3: Submit SAML response back to SP
soup = BeautifulSoup(idp_login.text, 'html.parser')
saml_response = soup.find('input', {'name': 'SAMLResponse'})['value']
sp_acs = session.post(
"https://target-app.com/saml/acs",
data={'SAMLResponse': saml_response}
)
# Return session cookie
return session.cookies.get_dict()
# Use in Nuclei scan
cookies = saml_login(
"https://idp.example.com/saml/login",
"testuser",
"testpass"
)
cookie_header = "; ".join([f"{k}={v}" for k, v in cookies.items()])
subprocess.run([
"nuclei",
"-u", "https://target-app.com",
"-header", f"Cookie: {cookie_header}",
"-severity", "critical,high"
])
```
## Multi-Factor Authentication
### TOTP-Based MFA
```python
#!/usr/bin/env python3
import pyotp
import requests
import subprocess
def login_with_mfa(username, password, totp_secret):
"""Login with username, password, and TOTP"""
session = requests.Session()
# Step 1: Submit username and password
login_response = session.post(
"https://target-app.com/login",
data={
"username": username,
"password": password
}
)
# Step 2: Generate and submit TOTP code
totp = pyotp.TOTP(totp_secret)
mfa_code = totp.now()
mfa_response = session.post(
"https://target-app.com/mfa/verify",
data={"code": mfa_code}
)
if mfa_response.status_code != 200:
raise Exception("MFA verification failed")
return session.cookies.get("session")
# Use in scan
session_cookie = login_with_mfa(
"testuser",
"testpass",
"JBSWY3DPEHPK3PXP" # TOTP secret
)
subprocess.run([
"nuclei",
"-u", "https://target-app.com",
"-header", f"Cookie: session={session_cookie}",
"-tags", "cve,owasp"
])
```
### SMS/Email MFA (Manual Intervention)
```bash
#!/bin/bash
# mfa_manual_scan.sh
echo "Step 1: Performing initial login..."
curl -c cookies.txt -X POST https://target-app.com/login \
-d "username=testuser&password=testpass"
echo "Step 2: MFA code sent. Please check your email/SMS."
read -p "Enter MFA code: " MFA_CODE
echo "Step 3: Submitting MFA code..."
curl -b cookies.txt -c cookies.txt -X POST https://target-app.com/mfa/verify \
-d "code=$MFA_CODE"
echo "Step 4: Running Nuclei scan with authenticated session..."
SESSION=$(grep session cookies.txt | awk '{print $7}')
nuclei -u https://target-app.com \
-header "Cookie: session=$SESSION" \
-severity critical,high \
-tags cve,owasp
echo "Scan complete!"
```
## Advanced Patterns
### Dynamic Token Rotation
```bash
#!/bin/bash
# token_rotation_scan.sh
TARGET_URL="https://api.target.com"
AUTH_ENDPOINT="https://auth.target.com/token"
CLIENT_ID="client-id"
CLIENT_SECRET="client-secret"
# Function to get new token
refresh_token() {
curl -s -X POST $AUTH_ENDPOINT \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" | jq -r '.access_token'
}
# Get initial token
TOKEN=$(refresh_token)
# Scan critical templates
nuclei -u $TARGET_URL \
-header "Authorization: Bearer $TOKEN" \
-severity critical \
-tags cve
# Refresh token for next batch
TOKEN=$(refresh_token)
# Scan high severity templates
nuclei -u $TARGET_URL \
-header "Authorization: Bearer $TOKEN" \
-severity high \
-tags owasp
```
### Authenticated Multi-Target Scanning
```bash
#!/bin/bash
# multi_target_auth_scan.sh
# Read targets from file
TARGETS_FILE="targets.txt"
AUTH_TOKEN="your-auth-token"
while IFS= read -r target; do
echo "Scanning: $target"
nuclei -u "$target" \
-header "Authorization: Bearer $AUTH_TOKEN" \
-severity critical,high \
-o "results/$(echo $target | sed 's|https://||' | sed 's|/|_|g').txt"
sleep 5 # Rate limiting between targets
done < "$TARGETS_FILE"
echo "All scans complete!"
```
## Best Practices
1. **Never Hardcode Credentials**: Use environment variables or secrets management
2. **Rotate Tokens**: Refresh authentication tokens for long-running scans
3. **Session Validation**: Verify session is still valid before scanning
4. **Rate Limiting**: Respect rate limits when authenticated (often higher quotas)
5. **Scope Validation**: Ensure authenticated access doesn't expand out of scope
6. **Audit Logging**: Log all authenticated scan activities
7. **Token Expiry**: Handle token expiration gracefully with refresh
8. **Least Privilege**: Use accounts with minimum necessary privileges for testing
## Troubleshooting
### Token Expired During Scan
```bash
# Add token refresh logic
nuclei -u https://api.target.com \
-header "Authorization: Bearer $TOKEN" \
-severity critical || {
echo "Scan failed, refreshing token..."
TOKEN=$(refresh_token)
nuclei -u https://api.target.com \
-header "Authorization: Bearer $TOKEN" \
-severity critical
}
```
### Session Cookie Not Working
```bash
# Debug session cookie
curl -v https://target-app.com/protected-page \
-H "Cookie: session=$SESSION"
# Check cookie expiration
echo $SESSION | base64 -d | jq '.exp'
# Re-authenticate if expired
SESSION=$(re_authenticate)
```
### Multiple Authentication Methods
```bash
# Some APIs require multiple auth headers
nuclei -u https://api.target.com \
-header "Authorization: Bearer $TOKEN" \
-header "X-API-Key: $API_KEY" \
-header "X-Client-ID: $CLIENT_ID" \
-tags api
```
## Resources
- [OAuth 2.0 RFC](https://oauth.net/2/)
- [JWT.io](https://jwt.io/)
- [SAML 2.0](http://saml.xml.org/)
- [Nuclei Authentication Docs](https://docs.projectdiscovery.io/)

491
skills/appsec/dast-nuclei/references/false_positive_guide.md Normal file
View File

@@ -0,0 +1,491 @@
# Nuclei False Positive Handling Guide
## Table of Contents
- [Understanding False Positives](#understanding-false-positives)
- [Common False Positive Scenarios](#common-false-positive-scenarios)
- [Verification Techniques](#verification-techniques)
- [Template Filtering Strategies](#template-filtering-strategies)
- [Custom Template Refinement](#custom-template-refinement)
## Understanding False Positives
False positives occur when Nuclei reports a finding that doesn't represent an actual security vulnerability in the context of your application.
### Types of False Positives
1. **Context-Specific**: Finding is valid in general but not applicable to your application
2. **Version-Specific**: CVE template triggers but your version is patched
3. **Configuration-Based**: Security control exists but Nuclei can't detect it
4. **Pattern Matching Errors**: Regex/word matchers trigger on benign content
## Common False Positive Scenarios
### 1. Missing Security Headers (Info/Low Severity)
**Finding**: Missing `X-Frame-Options`, `Content-Security-Policy`
**False Positive When**:
- Headers set at CDN/WAF level (not visible to scanner)
- Application is not intended for browser rendering (pure API)
- Modern browsers already protect against clickjacking
**Verification**:
```bash
# Check headers from actual browser
curl -I https://target-app.com
curl -I https://target-app.com -H "User-Agent: Mozilla/5.0"
# Check if CDN adds headers
curl -I https://target-app.com -v 2>&1 | grep -i "x-frame-options\|content-security"
```
**Filter Strategy**:
```bash
# Exclude header-related info findings
nuclei -u https://target-app.com -etags headers -severity critical,high
```
### 2. Directory Listing / Exposed Paths
**Finding**: Directory listing enabled, exposed paths like `/admin`, `/backup`
**False Positive When**:
- Path requires authentication (Nuclei tested unauthenticated)
- Path is intentionally public (documentation, public assets)
- CDN/WAF blocks access (returns 200 with error page)
**Verification**:
```bash
# Manual verification with authentication
curl https://target-app.com/admin \
-H "Authorization: Bearer $TOKEN" \
-H "Cookie: session=$SESSION"
# Check actual response content
curl https://target-app.com/backup | head -20
```
**Filter Strategy**:
```bash
# Exclude exposure templates for authenticated scans
nuclei -u https://target-app.com \
-header "Authorization: Bearer $TOKEN" \
-etags exposure
```
### 3. CVE Templates Against Patched Versions
**Finding**: CVE-2024-XXXXX detected
**False Positive When**:
- Application version is patched but template matches on generic patterns
- Backported patches applied without version number change
- Template uses loose detection criteria
**Verification**:
```bash
# Check actual version
curl https://target-app.com/version
curl https://target-app.com -v 2>&1 | grep -i "server:"
# Cross-reference with CVE details
# Check if version is vulnerable per NVD/vendor advisory
```
**Filter Strategy**:
```bash
# Scan only recent CVEs
nuclei -u https://target-app.com \
-tags cve \
-template-condition "contains(id, 'CVE-2024') || contains(id, 'CVE-2023')"
# Exclude specific false positive templates
nuclei -u https://target-app.com \
-exclude-id CVE-2018-12345,CVE-2019-67890
```
### 4. Technology Detection False Positives
**Finding**: WordPress, Drupal, or other CMS detected
**False Positive When**:
- Generic strings match (like "wp-" in custom code)
- Legacy migration artifacts remain
- Application mimics CMS structure but isn't actually that CMS
**Verification**:
```bash
# Check for actual CMS files
curl https://target-app.com/wp-admin/
curl https://target-app.com/wp-includes/
curl https://target-app.com/readme.html
# Technology fingerprinting
whatweb https://target-app.com
wappalyzer https://target-app.com
```
**Filter Strategy**:
```bash
# Exclude tech detection templates
nuclei -u https://target-app.com -etags tech
```
### 5. Default Login Pages
**Finding**: Admin panel or login page detected
**False Positive When**:
- Panel is legitimate and intended to be accessible
- Panel requires MFA even if default credentials work
- Detection based on title/strings only without credential testing
**Verification**:
```bash
# Test if default credentials actually work
curl -X POST https://target-app.com/login \
-d "username=admin&password=admin" \
-v
# Check if MFA is required
curl -X POST https://target-app.com/login \
-d "username=admin&password=admin" \
-c cookies.txt
curl https://target-app.com/dashboard \
-b cookies.txt
```
**Filter Strategy**:
```bash
# Scan with authentication to skip login detection
nuclei -u https://target-app.com \
-header "Authorization: Bearer $TOKEN" \
-etags default-logins,exposed-panels
```
### 6. API Endpoints Reporting Errors
**Finding**: SQL errors, stack traces, or verbose errors detected
**False Positive When**:
- Errors are intentional validation messages
- Stack traces only shown in dev/staging (not production)
- API returns structured error JSON (not actual stack trace)
**Verification**:
```bash
# Check actual error response
curl https://api.target.com/endpoint?id=invalid -v
# Verify it's not SQL error but validation error
curl https://api.target.com/endpoint?id=' OR '1'='1 -v
```
### 7. CORS Misconfiguration
**Finding**: `Access-Control-Allow-Origin: *`
**False Positive When**:
- Intentional for public APIs
- Only applies to non-sensitive endpoints
- Additional CORS headers restrict actual access
**Verification**:
```bash
# Check if sensitive endpoints have CORS
curl https://api.target.com/public/data \
-H "Origin: https://evil.com" -v
curl https://api.target.com/private/users \
-H "Origin: https://evil.com" \
-H "Authorization: Bearer $TOKEN" -v
```
## Verification Techniques
### Manual Verification Checklist
For each critical/high severity finding:
1. **Reproduce the finding**:
```bash
# Use exact URL and parameters from Nuclei output
curl "https://target-app.com/vulnerable-path" -v
```
2. **Check authentication context**:
```bash
# Test with authentication
curl "https://target-app.com/vulnerable-path" \
-H "Authorization: Bearer $TOKEN" -v
```
3. **Verify exploitability**:
- Can you actually exploit the vulnerability?
- Is there a working PoC?
- What's the actual impact?
4. **Check mitigating controls**:
- WAF rules blocking exploitation
- Network segmentation limiting access
- Monitoring and alerting in place
5. **Consult security team**:
- Discuss edge cases with security engineers
- Review against threat model
### Automated Verification Script
Use bundled script to batch verify findings:
```bash
python3 scripts/verify_findings.py \
--input nuclei-results.jsonl \
--auth-token $AUTH_TOKEN \
--output verified-findings.jsonl
```
## Template Filtering Strategies
### Strategy 1: Severity-Based Filtering
Focus on high-impact findings:
```bash
# Critical and high only
nuclei -u https://target-app.com -severity critical,high
# Exclude info findings
nuclei -u https://target-app.com -exclude-severity info
```
### Strategy 2: Tag-Based Filtering
Filter by vulnerability type:
```bash
# Only CVEs and OWASP vulnerabilities
nuclei -u https://target-app.com -tags cve,owasp
# Exclude informational tags
nuclei -u https://target-app.com -etags tech,info,headers
```
### Strategy 3: Template Exclusion
Exclude known false positive templates:
```bash
# Exclude specific templates
nuclei -u https://target-app.com \
-exclude-id CVE-2018-12345,generic-login-panel
# Exclude template directories
nuclei -u https://target-app.com \
-exclude-templates nuclei-templates/http/misconfiguration/
```
### Strategy 4: Custom Template Allowlist
Use only verified templates:
```bash
# Scan with curated template set
nuclei -u https://target-app.com \
-t custom-templates/verified/ \
-t nuclei-templates/http/cves/2024/
```
### Strategy 5: Conditional Template Execution
Use template conditions:
```bash
# Only recent critical CVEs
nuclei -u https://target-app.com \
-tags cve \
-severity critical \
-template-condition "contains(id, 'CVE-2024')"
```
## Custom Template Refinement
### Improving Matcher Accuracy
**Before (High False Positives)**:
```yaml
matchers:
- type: word
words:
- "admin"
```
**After (Lower False Positives)**:
```yaml
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "admin"
- "dashboard"
- "login"
condition: and
- type: regex
regex:
- '<title>[^<]*admin[^<]*panel[^<]*</title>'
case-insensitive: true
```
### Adding Negative Matchers
Exclude known false positive patterns:
```yaml
matchers:
- type: word
words:
- "SQL syntax error"
# Negative matcher - must NOT match
- type: word
negative: true
words:
- "validation error"
- "input error"
```
### Version-Specific Matching
Match specific vulnerable versions:
```yaml
matchers-condition: and
matchers:
- type: regex
regex:
- 'WordPress/([0-5]\.[0-9]\.[0-9])' # Versions < 6.0.0
- type: word
words:
- "wp-admin"
```
### Confidence-Based Classification
Add confidence levels to findings:
```yaml
info:
metadata:
confidence: high # low, medium, high
matchers-condition: and # More matchers = higher confidence
matchers:
- type: status
status: [200]
- type: word
words: ["vulnerable_signature_1", "vulnerable_signature_2"]
condition: and
- type: regex
regex: ['specific[_-]pattern']
```
## False Positive Tracking
### Document Known False Positives
Create suppression file:
```yaml
# false-positives.yaml
suppressions:
- template: CVE-2018-12345
reason: "Application version is patched (backport applied)"
verified_by: security-team
verified_date: 2024-11-20
- template: exposed-admin-panel
urls:
- https://target-app.com/admin
reason: "Admin panel requires MFA and IP allowlist"
verified_by: security-team
verified_date: 2024-11-20
- template: missing-csp-header
reason: "CSP header added at CDN level (Cloudflare)"
verified_by: devops-team
verified_date: 2024-11-20
```
### Use Suppression in Scans
```bash
# Filter out documented false positives
python3 scripts/filter_suppressions.py \
--scan-results nuclei-results.jsonl \
--suppressions false-positives.yaml \
--output filtered-results.jsonl
```
## Best Practices
1. **Always Verify Critical Findings Manually**: Don't trust automated tools blindly
2. **Context Matters**: What's vulnerable in one app may be safe in another
3. **Track False Positives**: Document and share with team
4. **Refine Templates**: Improve matcher accuracy over time
5. **Use Multiple Tools**: Cross-verify with other scanners (ZAP, Burp, etc.)
6. **Severity Calibration**: Adjust severity based on your environment
7. **Regular Template Updates**: Keep templates current to reduce false positives
8. **Authenticated Scanning**: Many false positives occur in unauthenticated scans
## Tools and Resources
### Verification Tools
```bash
# cURL for manual verification
curl -v https://target-app.com/endpoint
# httpie (user-friendly HTTP client)
http https://target-app.com/endpoint
# Burp Suite for manual testing
# ZAP for cross-verification
```
### Analysis Scripts
Use bundled scripts:
```bash
# Compare findings across scans
python3 scripts/compare_scans.py \
--baseline scan1.jsonl \
--current scan2.jsonl
# Filter findings by confidence
python3 scripts/filter_by_confidence.py \
--input scan-results.jsonl \
--min-confidence high \
--output high-confidence.jsonl
```
## Conclusion
False positives are inevitable in automated security scanning. The key is to:
- Understand WHY false positives occur
- Develop systematic verification processes
- Refine templates and filters over time
- Document and track false positives for future reference
- Balance automation with manual verification
A good rule of thumb: **Spend time refining your scanning approach to maximize signal-to-noise ratio**.

245
skills/appsec/dast-nuclei/references/owasp_mapping.md Normal file
View File

@@ -0,0 +1,245 @@
# OWASP Top 10 2021 Mapping for Nuclei Findings
## Table of Contents
- [A01:2021 - Broken Access Control](#a012021---broken-access-control)
- [A02:2021 - Cryptographic Failures](#a022021---cryptographic-failures)
- [A03:2021 - Injection](#a032021---injection)
- [A04:2021 - Insecure Design](#a042021---insecure-design)
- [A05:2021 - Security Misconfiguration](#a052021---security-misconfiguration)
- [A06:2021 - Vulnerable and Outdated Components](#a062021---vulnerable-and-outdated-components)
- [A07:2021 - Identification and Authentication Failures](#a072021---identification-and-authentication-failures)
- [A08:2021 - Software and Data Integrity Failures](#a082021---software-and-data-integrity-failures)
- [A09:2021 - Security Logging and Monitoring Failures](#a092021---security-logging-and-monitoring-failures)
- [A10:2021 - Server-Side Request Forgery (SSRF)](#a102021---server-side-request-forgery-ssrf)
## A01:2021 - Broken Access Control
### Nuclei Template Tags
- `exposure` - Exposed sensitive files and directories
- `idor` - Insecure Direct Object References
- `auth-bypass` - Authentication bypass vulnerabilities
- `privilege-escalation` - Privilege escalation issues
### Common Findings
- **Exposed Admin Panels**: `/admin`, `/administrator`, `/wp-admin` accessible without authentication
- **Directory Listing**: Open directory listings exposing sensitive files
- **Backup Files Exposed**: `.bak`, `.sql`, `.zip` files publicly accessible
- **Git/SVN Exposure**: `.git`, `.svn` directories exposed
- **API Access Control**: Missing authorization checks on API endpoints
### Remediation Priority
**Critical** - Immediate action required for exposed admin panels and authentication bypasses
## A02:2021 - Cryptographic Failures
### Nuclei Template Tags
- `ssl` - SSL/TLS configuration issues
- `weak-crypto` - Weak cryptographic implementations
- `exposed-keys` - Exposed cryptographic keys
### Common Findings
- **Weak TLS Versions**: TLS 1.0, TLS 1.1 still enabled
- **Weak Cipher Suites**: RC4, DES, 3DES in use
- **Missing HSTS**: HTTP Strict Transport Security not configured
- **Self-Signed Certificates**: Invalid or self-signed SSL certificates
- **Exposed Private Keys**: Private keys in public repositories or directories
### Remediation Priority
**High** - Update to TLS 1.2+ and modern cipher suites
## A03:2021 - Injection
### Nuclei Template Tags
- `sqli` - SQL Injection
- `xss` - Cross-Site Scripting
- `xxe` - XML External Entity
- `ssti` - Server-Side Template Injection
- `nosqli` - NoSQL Injection
- `cmdi` - Command Injection
### Common Findings
- **SQL Injection**: User input reflected in database queries
- **Cross-Site Scripting (XSS)**: Reflected, Stored, and DOM-based XSS
- **Command Injection**: OS command execution via user input
- **LDAP Injection**: LDAP query manipulation
- **Template Injection**: Server-side template injection in Jinja2, Twig, etc.
### Remediation Priority
**Critical** - SQL Injection and Command Injection require immediate remediation
## A04:2021 - Insecure Design
### Nuclei Template Tags
- `logic` - Business logic flaws
- `workflow` - Workflow bypass vulnerabilities
### Common Findings
- **Rate Limiting Bypass**: Missing rate limiting on authentication endpoints
- **Workflow Bypass**: Steps in business processes can be skipped
- **Insufficient Resource Allocation**: No limits on resource consumption
- **Unvalidated Redirects**: Open redirect vulnerabilities
### Remediation Priority
**Medium to High** - Depends on business impact and exploitability
## A05:2021 - Security Misconfiguration
### Nuclei Template Tags
- `misconfig` - Generic misconfigurations
- `headers` - Missing security headers
- `cors` - CORS misconfigurations
- `debug` - Debug modes enabled in production
### Common Findings
- **Missing Security Headers**:
- `Content-Security-Policy`
- `X-Frame-Options`
- `X-Content-Type-Options`
- `Strict-Transport-Security`
- **CORS Misconfiguration**: `Access-Control-Allow-Origin: *`
- **Debug Mode Enabled**: Stack traces, verbose errors in production
- **Default Configurations**: Unchanged default credentials and settings
- **Directory Indexing**: Apache/Nginx directory listing enabled
### Remediation Priority
**Medium** - Apply hardening configurations and remove debug modes
## A06:2021 - Vulnerable and Outdated Components
### Nuclei Template Tags
- `cve` - Known CVE vulnerabilities
- `eol` - End-of-life software
- `outdated` - Outdated software versions
### Common Findings
- **Known CVEs**: Outdated libraries with public CVEs (Log4Shell, Spring4Shell, etc.)
- **End-of-Life Software**: Unsupported versions of frameworks and libraries
- **Vulnerable JavaScript Libraries**: jQuery, Angular, React with known vulnerabilities
- **CMS Vulnerabilities**: WordPress, Drupal, Joomla plugin vulnerabilities
### Remediation Priority
**Critical to High** - Patch immediately based on CVSS score and exploitability
### Example CVE Mappings
```
CVE-2021-44228 (Log4Shell) → Critical → A06
CVE-2022-22965 (Spring4Shell) → Critical → A06
CVE-2017-5638 (Struts2 RCE) → Critical → A06
CVE-2021-26855 (Exchange ProxyLogon) → Critical → A06
```
## A07:2021 - Identification and Authentication Failures
### Nuclei Template Tags
- `auth` - Authentication issues
- `jwt` - JWT vulnerabilities
- `oauth` - OAuth misconfigurations
- `default-logins` - Default credentials
- `session` - Session management issues
### Common Findings
- **Default Credentials**: Admin/admin, root/root, default passwords
- **Weak Password Policies**: No complexity requirements
- **Session Fixation**: Session tokens not regenerated after login
- **JWT Vulnerabilities**: `alg=none` bypass, weak signing keys
- **Missing MFA**: No multi-factor authentication for privileged accounts
- **Predictable Session IDs**: Sequential or easily guessable tokens
### Remediation Priority
**High** - Change default credentials immediately, enforce strong password policies
## A08:2021 - Software and Data Integrity Failures
### Nuclei Template Tags
- `rce` - Remote Code Execution
- `deserialization` - Insecure deserialization
- `integrity` - Integrity check failures
### Common Findings
- **Insecure Deserialization**: Unsafe object deserialization in Java, Python, PHP
- **Unsigned Updates**: Software updates without signature verification
- **CI/CD Pipeline Compromise**: Insufficient pipeline security controls
- **Dependency Confusion**: Private packages replaced by public malicious packages
### Remediation Priority
**Critical** - Insecure deserialization leading to RCE requires immediate action
## A09:2021 - Security Logging and Monitoring Failures
### Nuclei Template Tags
- `logging` - Logging issues
- `monitoring` - Monitoring gaps
### Common Findings
- **Missing Audit Logs**: Authentication failures, access control violations not logged
- **Insufficient Log Retention**: Logs deleted too quickly for forensic analysis
- **No Alerting**: No real-time alerts for suspicious activities
- **Log Injection**: User input reflected in logs without sanitization
### Remediation Priority
**Low to Medium** - Improve logging and monitoring infrastructure
## A10:2021 - Server-Side Request Forgery (SSRF)
### Nuclei Template Tags
- `ssrf` - SSRF vulnerabilities
- `redirect` - Open redirect issues
### Common Findings
- **SSRF via URL Parameters**: User-controlled URLs fetched by server
- **Cloud Metadata Access**: SSRF accessing AWS/GCP/Azure metadata endpoints
- **Internal Port Scanning**: SSRF used to scan internal networks
- **Webhook Vulnerabilities**: SSRF via webhook URLs
### Remediation Priority
**High to Critical** - Especially if cloud metadata or internal services accessible
## Severity Mapping Guide
Use this table to map Nuclei severity levels to OWASP categories:
| Nuclei Severity | OWASP Priority | Action Required |
|-----------------|----------------|-----------------|
| **Critical** | P0 - Immediate | Patch within 24 hours |
| **High** | P1 - Urgent | Patch within 7 days |
| **Medium** | P2 - Important | Patch within 30 days |
| **Low** | P3 - Normal | Patch in next release cycle |
| **Info** | P4 - Informational | Document and track |
## Integration with Security Workflows
### Finding Triage Process
1. **Critical/High Findings**: Assign to security team immediately
2. **Verify Exploitability**: Confirm with manual testing
3. **Map to OWASP**: Use this guide to categorize findings
4. **Assign Remediation Owner**: Development team or infrastructure team
5. **Track in JIRA/GitHub**: Create tickets with OWASP category labels
6. **Re-scan After Fix**: Verify vulnerability is resolved
### Reporting Template
```markdown
## Security Finding: [Nuclei Template ID]
**OWASP Category**: A03:2021 - Injection
**Severity**: Critical
**CWE**: CWE-89 (SQL Injection)
**CVE**: CVE-2024-XXXXX (if applicable)
### Description
[Description from Nuclei output]
### Affected URLs
- https://target-app.com/api/users?id=1
### Remediation
Use parameterized queries instead of string concatenation.
### References
- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
```
## Additional Resources
- [OWASP Top 10 2021](https://owasp.org/Top10/)
- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
- [Nuclei Templates Repository](https://github.com/projectdiscovery/nuclei-templates)

637
skills/appsec/dast-nuclei/references/template_development.md Normal file
View File

@@ -0,0 +1,637 @@
# Nuclei Template Development Guide
## Table of Contents
- [Template Structure](#template-structure)
- [Template Types](#template-types)
- [Matchers and Extractors](#matchers-and-extractors)
- [Advanced Techniques](#advanced-techniques)
- [Testing and Validation](#testing-and-validation)
- [Best Practices](#best-practices)
## Template Structure
### Basic Template Anatomy
```yaml
id: unique-template-id
info:
name: Human-readable template name
author: your-name
severity: critical|high|medium|low|info
description: Detailed description of what this template detects
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-XXXXX
- https://nvd.nist.gov/vuln/detail/CVE-2024-XXXXX
tags: cve,owasp,misconfig,custom
# Template type: http, dns, network, file, etc.
http:
- method: GET
path:
- "{{BaseURL}}/vulnerable-endpoint"
matchers:
- type: status
status:
- 200
- type: word
words:
- "vulnerable signature"
```
### Required Fields
- **id**: Unique identifier (kebab-case, organization-scoped for custom templates)
- **info.name**: Clear, descriptive name
- **info.author**: Template author
- **info.severity**: One of: critical, high, medium, low, info
- **info.description**: What vulnerability this detects
- **info.tags**: Searchable tags for filtering
### Optional but Recommended Fields
- **info.reference**: Links to CVE, advisories, documentation
- **info.classification**: CWE, CVE, OWASP mappings
- **info.metadata**: Additional metadata (max-request, verified, etc.)
## Template Types
### HTTP Templates
Most common template type for web application testing:
```yaml
id: http-example
info:
name: HTTP Template Example
author: security-team
severity: high
tags: web,http
http:
- method: GET
path:
- "{{BaseURL}}/api/users"
- "{{BaseURL}}/api/admin"
headers:
Authorization: "Bearer {{token}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "\"role\":\"admin\""
- "sensitive_data"
extractors:
- type: regex
name: user_ids
regex:
- '"id":([0-9]+)'
```
### DNS Templates
Test for DNS misconfigurations and subdomain takeovers:
```yaml
id: dns-takeover-check
info:
name: DNS Subdomain Takeover Detection
author: security-team
severity: high
tags: dns,takeover
dns:
- name: "{{FQDN}}"
type: CNAME
matchers:
- type: word
words:
- "amazonaws.com"
- "azurewebsites.net"
- "herokuapp.com"
```
### Network Templates
TCP/UDP port scanning and service detection:
```yaml
id: exposed-redis
info:
name: Exposed Redis Instance
author: security-team
severity: critical
tags: network,redis,exposure
network:
- inputs:
- data: "*1\r\n$4\r\ninfo\r\n"
host:
- "{{Hostname}}"
- "{{Hostname}}:6379"
matchers:
- type: word
words:
- "redis_version"
```
## Matchers and Extractors
### Matcher Types
#### Status Matcher
```yaml
matchers:
- type: status
status:
- 200
- 201
condition: or
```
#### Word Matcher
```yaml
matchers:
- type: word
part: body # body, header, all
words:
- "error"
- "exception"
condition: and
case-insensitive: true
```
#### Regex Matcher
```yaml
matchers:
- type: regex
regex:
- "(?i)password\\s*=\\s*['\"]([^'\"]+)['\"]"
part: body
```
#### Binary Matcher
```yaml
matchers:
- type: binary
binary:
- "504B0304" # ZIP file signature (hex)
part: body
```
#### DSL Matcher (Dynamic Expressions)
```yaml
matchers:
- type: dsl
dsl:
- "status_code == 200 && len(body) > 1000"
- "contains(tolower(body), 'admin')"
```
### Matcher Conditions
- **and**: All matchers must match
- **or**: At least one matcher must match (default)
```yaml
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "admin"
```
### Extractors
Extract data from responses for reporting or chaining:
#### Regex Extractor
```yaml
extractors:
- type: regex
name: api_keys
part: body
regex:
- 'api[_-]?key["\s:=]+([a-zA-Z0-9_-]{32,})'
group: 1
```
#### JSON Extractor
```yaml
extractors:
- type: json
name: user_data
json:
- ".users[].email"
- ".users[].id"
```
#### XPath Extractor
```yaml
extractors:
- type: xpath
name: titles
xpath:
- "//title"
```
## Advanced Techniques
### Request Chaining (Workflows)
Execute templates in sequence, passing data between them:
```yaml
id: workflow-example
info:
name: Multi-Step Authentication Test
author: security-team
workflows:
templates:
- template: login.yaml
- template: fetch-user-data.yaml
```
**login.yaml**:
```yaml
id: login-template
info:
name: Login and Extract Token
author: security-team
severity: info
http:
- method: POST
path:
- "{{BaseURL}}/api/login"
body: '{"username":"test","password":"test"}'
extractors:
- type: json
name: auth_token
json:
- ".token"
internal: true # Pass to next template
```
### Variables and Helpers
Use dynamic variables and helper functions:
```yaml
http:
- method: GET
path:
- "{{BaseURL}}/api/users/{{username}}"
# Available variables:
# {{BaseURL}}, {{Hostname}}, {{Host}}, {{Port}}, {{Path}}
# {{RootURL}}, {{Scheme}}, {{username}} (from previous extractor)
matchers:
- type: dsl
dsl:
# Helper functions: len(), contains(), regex_match(), etc.
- 'len(body) > 500'
- 'contains(tolower(header), "x-api-key")'
- 'status_code >= 200 && status_code < 300'
```
### Payloads and Fuzzing
Use payload files for fuzzing:
```yaml
id: sqli-fuzzing
info:
name: SQL Injection Fuzzing
author: security-team
severity: critical
http:
- method: GET
path:
- "{{BaseURL}}/api/users?id={{payload}}"
payloads:
payload:
- "1' OR '1'='1"
- "1' UNION SELECT NULL--"
- "'; DROP TABLE users--"
matchers:
- type: word
words:
- "SQL syntax"
- "mysql_fetch"
- "ORA-01756"
```
Or use external payload file:
```yaml
payloads:
payload: payloads/sql-injection.txt
attack: clusterbomb # pitchfork, clusterbomb, batteringram
```
### Rate Limiting and Threads
Control request rate to avoid overwhelming targets:
```yaml
id: rate-limited-scan
info:
name: Rate-Limited Vulnerability Scan
author: security-team
severity: medium
metadata:
max-request: 50 # Maximum requests per template execution
http:
- method: GET
path:
- "{{BaseURL}}/api/endpoint"
threads: 5 # Concurrent requests (default: 25)
```
## Testing and Validation
### Local Testing
Test templates against local test servers:
```bash
# Test single template
nuclei -t custom-templates/my-template.yaml -u http://localhost:8080 -debug
# Validate template syntax
nuclei -t custom-templates/my-template.yaml -validate
# Test with verbose output
nuclei -t custom-templates/my-template.yaml -u https://target.com -verbose
```
### Template Validation
Use the bundled validation script:
```bash
python3 scripts/template_validator.py custom-templates/my-template.yaml
```
### Test Lab Setup
Create a vulnerable test application for template development:
```bash
# Use DVWA (Damn Vulnerable Web Application)
docker run -d -p 80:80 vulnerables/web-dvwa
# Or OWASP Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop
```
## Best Practices
### 1. Accurate Severity Classification
- **Critical**: RCE, authentication bypass, full system compromise
- **High**: SQL injection, XSS, significant data exposure
- **Medium**: Missing security headers, information disclosure
- **Low**: Minor misconfigurations, best practice violations
- **Info**: Technology detection, non-security findings
### 2. Minimize False Positives
```yaml
# Use multiple matchers with AND condition
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "admin"
- "dashboard"
condition: and
- type: regex
regex:
- '<title>.*Admin.*Panel.*</title>'
case-insensitive: true
```
### 3. Clear Naming Conventions
- **id**: `organization-vulnerability-type-identifier`
- Example: `acme-api-key-exposure-config`
- **name**: Descriptive, clear purpose
- Example: "ACME Corp API Key Exposure in Config Endpoint"
### 4. Comprehensive Documentation
```yaml
info:
name: Detailed Template Name
description: |
Comprehensive description of what this template detects,
why it's important, and how it works.
References:
- CVE-2024-XXXXX
- Internal ticket: SEC-1234
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-XXXXX
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-XXXXX
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-XXXXX
cwe-id: CWE-89
metadata:
verified: true
max-request: 10
shodan-query: 'http.title:"Admin Panel"'
tags: cve,owasp,sqli,high-severity,verified
```
### 5. Responsible Testing Parameters
```yaml
# Avoid aggressive fuzzing in default templates
info:
metadata:
max-request: 10 # Limit total requests
http:
- method: GET
threads: 5 # Limit concurrent requests
# Use specific, targeted payloads
payloads:
test: ["safe-payload-1", "safe-payload-2"]
```
### 6. Error Handling
```yaml
http:
- method: GET
path:
- "{{BaseURL}}/api/test"
# Handle various response scenarios
matchers:
- type: dsl
dsl:
- "status_code == 200 && contains(body, 'vulnerable')"
- "status_code == 500 && contains(body, 'error')"
condition: or
# Negative matchers (must NOT match)
matchers:
- type: word
negative: true
words:
- "404 Not Found"
- "403 Forbidden"
```
### 7. Template Organization
```
custom-templates/
├── api/
│ ├── api-key-exposure.yaml
│ ├── graphql-introspection.yaml
│ └── rest-api-misconfig.yaml
├── cves/
│ ├── 2024/
│ │ ├── CVE-2024-12345.yaml
│ │ └── CVE-2024-67890.yaml
├── exposures/
│ ├── sensitive-files.yaml
│ └── backup-exposure.yaml
└── misconfig/
├── cors-misconfiguration.yaml
└── debug-mode-enabled.yaml
```
### 8. Version Control and Maintenance
- Use Git to track template changes
- Tag templates with version numbers in metadata
- Document changes in template comments
- Regularly test templates against updated applications
```yaml
info:
metadata:
version: 1.2.0
last-updated: 2024-11-20
changelog: |
1.2.0 - Added additional matcher for new vulnerability variant
1.1.0 - Improved regex pattern to reduce false positives
1.0.0 - Initial release
```
## Example: Complete Custom Template
```yaml
id: acme-corp-api-debug-exposure
info:
name: ACME Corp API Debug Endpoint Exposure
author: acme-security-team
severity: high
description: |
Detects exposed debug endpoint in ACME Corp API that leaks
sensitive configuration including database credentials,
API keys, and internal service URLs.
reference:
- https://internal-wiki.acme.com/security/SEC-1234
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
metadata:
verified: true
max-request: 3
version: 1.0.0
tags: acme,api,exposure,debug,high-severity
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/debug/config"
- "{{BaseURL}}/api/v2/debug/config"
- "{{BaseURL}}/debug/config"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "database_url"
- "api_secret_key"
condition: or
- type: regex
part: body
regex:
- '"(password|secret|token)":\s*"[^"]+"'
extractors:
- type: regex
name: exposed_secrets
part: body
regex:
- '"(database_url|api_secret_key|jwt_secret)":\s*"([^"]+)"'
group: 2
- type: json
name: config_data
json:
- ".database_url"
- ".api_secret_key"
```
## Resources
- [Official Nuclei Template Guide](https://docs.projectdiscovery.io/templates/introduction)
- [Nuclei Templates Repository](https://github.com/projectdiscovery/nuclei-templates)
- [Template Editor](https://templates.nuclei.sh/)
- [DSL Functions Reference](https://docs.projectdiscovery.io/templates/reference/matchers#dsl-matcher)