Nuclei, a vulnerability scanner and OWASP Juice Shop
What is Nuclei?
Nuclei is a fast vulnerability scanner designed to probe modern applications, infrastructure, cloud platforms, and networks, aiding in the identification and mitigation of exploitable vulnerabilities.
At its core, Nuclei uses templates — expressed as straightforward YAML files, that delineate methods for detecting, ranking, and addressing specific security flaws.
Each template delineates a possible attack route, detailing the vulnerability, its severity, priority rating, and occasionally associated exploits. This template-centric methodology ensures Nuclei not only identifies potential threats, but pinpoints exploitable vulnerabilities with tangible real-world implications. (text copied from here)
Installation
For installation you can use “go” (compiles and installs the packages) build from git, or download the already ready package for your system.
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -versiongit clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/cmd/nuclei
go build
sudo mv nuclei /usr/local/bin/
nuclei -version; wget https://github.com/projectdiscovery/nuclei/releases/download/v3.3.2/nuclei_3.3.2_linux_amd64.zip
unzip nuclei_3.3.2_linux_amd64.zip
sudo mv nuclei /usr/local/bin/
nuclei -version
nuclei -update-templates
nuclei -h #usageUsing the tool.
There are A LOT of guides to use nuclei, but most of them are not comming alongside with an example to practice, in my case I have decided to use a localhost VM to practice.
- Localhost Testing: If you don’t want to test on external targets, you can run vulnerable applications locally (like DVWA or OWASP Juice Shop), which are available as Docker containers or simple installations.
In my case I am going to use OWASP Juice Shop locally, in order to do that you need Docker.
raven@homelab:~$ docker --version
Docker version 24.0.5, build ced0996
raven@homelab:~$ sudo docker pull bkimminich/juice-shop
raven@homelab:~$ sudo docker run -d -p 3000:3000 bkimminich/juice-shop
As I am running the Docker in my homelab, I need to access to the hosted website by using:
http://<homelab-ip>:3000f you access the address as localhost or as IP address, you will see a website like this one:
It is prettending to be a juice online website and it is ready to scan!
To begin with the scan, I will do:
raven@homelab:~$ nuclei -u http://localhost:3000 -o results_test.txt-u will start the scan while -o plus the name of the file will generate a text file with the scan results.
The result of this scan can be found in the file created, lets have a look:
[dns-rebinding:IPv4] [dns] [unknown] localhost [“127.0.0.1”]
[swagger-api] [http] [info] http://localhost:3000/api-docs/swagger.json [paths=”/api-docs/swagger.json”]
[missing-sri] [http] [info] http://localhost:3000 [“//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js”,”//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js”]
[http-missing-security-headers:content-security-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:referrer-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:strict-transport-security] [http] [info] http://localhost:3000
[http-missing-security-headers:permissions-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://localhost:3000
[http-missing-security-headers:clear-site-data] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://localhost:3000
[security-txt] [http] [info] http://localhost:3000/.well-known/security.txt [“mailto:donotreply@owasp-juice.shop”]
[addeventlistener-detect] [http] [info] http://localhost:3000
[owasp-juice-shop-detect] [http] [info] http://localhost:3000
[kubelet-metrics] [http] [info] http://localhost:3000/metrics
[prometheus-metrics] [http] [medium] http://localhost:3000/metrics
[fingerprinthub-web-fingerprints:qm-system] [http] [info] http://localhost:3000
[robots-txt-endpoint] [http] [info] http://localhost:3000/robots.txt
[x-recruiting-header] [http] [info] http://localhost:3000 [“/#/jobs”]
Now, let’s break down the findings in more detail:
DNS Rebinding: The scan detected that localhost resolves to 127.0.0.1, which is normal for a local environment. In a production setting, proper DNS configuration is crucial to prevent DNS rebinding attacks.
Swagger API: The API documentation is exposed at /api-docs/swagger.json. While useful for development, this should be secured or removed in a production environment to avoid revealing sensitive API details.
Missing Subresource Integrity (SRI): External JavaScript libraries (jQuery and cookieconsent) are loaded without SRI checks. This could potentially allow these scripts to be tampered with in transit.
Missing Security Headers: Several important security headers are not set.
These headers help protect against various attacks like XSS, CSRF, and clickjacking.
Security.txt: A security.txt file was found, which is good practice. However, ensure it doesn’t reveal sensitive information.
OWASP Juice Shop: The application was identified as OWASP Juice Shop, which is intentionally vulnerable for learning purposes. If this is indeed your application, be aware that it’s not meant for production use.
Exposed Metrics: Both Kubelet and Prometheus metrics endpoints were found at /metrics. These could potentially expose sensitive operational data and should be secured.
Robots.txt: The robots.txt file was detected. Ensure it doesn’t inadvertently reveal sensitive paths.
Recruiting Header: An X-Recruiting header was found, which is low-risk but unnecessary if not intentional.
(Text by Claude AI)
Last but not least…
Nuclei is a powerful tool. In this blog, I have covered only its most basic usage. It is also important to mention that you can run just part of the templates by using -t. So if we go to the templates folder, we will see all available templates. You can use tree or ls to see all:
Imagine that you want to use only CISCO scripts, the way would be to run:
nuclei -t cisco -u http://localhost:3000 -o results_test.txtIf you want to scan more than one target, you must put all in a .txt file and use the label -list followed by the .txt file. As I said, nuclei is a very powerful tool. If you want to know more about it, check this video: https://www.youtube.com/watch?v=b5qMyQvL1ZA&t=11s
