Skip to content

TEMPLATE_EXAM.md

Latest commit

 

History

History
283 lines (224 loc) · 9.46 KB

TEMPLATE_EXAM.md

File metadata and controls

283 lines (224 loc) · 9.46 KB

Nuclei Template Guide

All Nuclei templates targeting e-commerce web applications, organized by vulnerability type.

Before You Begin

  1. Never hardcode variable names → Always validate after creating a template
    1. Target server: {TARGET_URL}
    2. Specific ID: {TARGET_ID}
    3. Any other values that need to be environment variables should be prefixed with TARGET, and the expected value for each variable must be documented in the SKILL.md of the vulnerability scan skill.
  2. Verify that the template is written generically and is broadly applicable!!

File Header Comment Structure

Every template must begin with a comment block in the following format:

# ==============================================================================
# [TEMPLATE] {Template Description}
# ==============================================================================
# USAGE:
#   nuclei -t {filename}.yaml -u {TARGET_URL}
#   nuclei -t {filename}.yaml -l {TARGET_LIST_FILE}
#
# OPTIONS:
#   -u  {TARGET_URL}        : Single target URL (e.g., http://192.168.1.10:3000)
#   -l  {TARGET_LIST_FILE}  : Path to a file containing a list of target URLs (e.g., targets.txt)
#   -o results/{filename}.json : Output file path
#   -json                   : Output results in JSON format (recommended for agent parsing)
#   -severity {severity}    : Filter by specific severity level
#
# EXAMPLE:
#   nuclei -t {filename}.yaml -u http://example.com -o results/{filename}.json -json
# ==============================================================================

Actual template example based on the above format:

# ==============================================================================
# [TEMPLATE] JSON API HTML Injection / XSS Risk Detection
# ==============================================================================
# USAGE:
#   nuclei -t json-api-html-injection.yaml -u {TARGET_URL}
#   nuclei -t json-api-html-injection.yaml -l {TARGET_LIST_FILE}
#
# OPTIONS:
#   -u  {TARGET_URL}        : Single target URL (e.g., http://192.168.1.10:3000)
#   -l  {TARGET_LIST_FILE}  : Path to a file containing a list of target URLs (e.g., targets.txt)
#   -o results/json-api-html-injection.json : Output file path
#   -json                   : Output results in JSON format (recommended for agent parsing)
#   -severity medium,high   : Filter by specific severity level
#
# EXAMPLE:
#   nuclei -t json-api-html-injection.yaml -u http://example.com -o results/json-api-html-injection.json -json
# ==============================================================================

Rules

  • The -o output path must always be fixed as results/{template-filename}.json.
  • The EXAMPLE command must use the same output path.
  • CLI option values (e.g., {TARGET_URL}) are passed externally at runtime, so do not create a separate VARIABLES block for them.
  • Only define variables in comments if they are injected as var within the template itself.

info Block

info:
  name: {Template Name}
  author: Hoyoung Lee
  severity: {critical|high|medium|low|info}
  description: |
    {Description of the detection purpose and behavior}

    Detection Logic:
    - {Explanation of the detection logic}
  tags: {relevant tags}

Example:

info:
  name: XSS Risk - Unescaped HTML in JSON API Response Fields
  author: Hoyoung Lee
  severity: medium
  description: |
    Detects unescaped HTML tags in JSON API response fields that may lead to
    DOM-based XSS when rendered by SPA frameworks (Angular, React, Vue) using
    innerHTML, dangerouslySetInnerHTML, or bypassSecurityTrustHtml.

    Detection Logic:
    - HIGH: Executable tags (<script>, <iframe>, <img>, <svg>, etc.) with event
      handlers or src/href attributes found unescaped in JSON string fields.
    - MEDIUM: Formatting tags (<a>, <em>, <b>, <div>, etc.) found unescaped in
      JSON string fields, indicating potential unsafe rendering patterns.
  tags: xss,dom-xss,json-api,spa,html-injection,unescaped-html

Rules

  • author should be your own name.
  • description must be written in English.
  • The description must include: the purpose of detection and the detection logic — both in English. Do not reference Juice Shop-specific challenge names. Only describe the vulnerability type being detected.

Path Configuration

  • List paths that are commonly found in general e-commerce product applications first.
  • Juice Shop-specific paths should be appended at the bottom.
  • Do not add section separator comments between paths.

Generic e-commerce paths (path parameter)

- "{{BaseURL}}/api/orders/{{value}}"
- "{{BaseURL}}/api/products/{{value}}"
- "{{BaseURL}}/api/items/{{value}}"
- "{{BaseURL}}/api/categories/{{value}}"
- "{{BaseURL}}/api/reviews/{{value}}"
- "{{BaseURL}}/api/users/{{value}}"
- "{{BaseURL}}/api/cart/{{value}}"
- "{{BaseURL}}/order/track/{{value}}"
- "{{BaseURL}}/orders/{{value}}"
- "{{BaseURL}}/tracking/{{value}}"

Generic e-commerce paths (query parameter)

- "{{BaseURL}}/api/search?q={{value}}"
- "{{BaseURL}}/api/products?search={{value}}"
- "{{BaseURL}}/api/items?query={{value}}"
- "{{BaseURL}}/api/categories?search={{value}}"
- "{{BaseURL}}/api/reviews?search={{value}}"
- "{{BaseURL}}/api/orders?id={{value}}"
- "{{BaseURL}}/api/users?search={{value}}"
- "{{BaseURL}}/api/v1/search?q={{value}}"
- "{{BaseURL}}/api/v2/search?q={{value}}"

Juice Shop-specific paths (append at the bottom)

- "{{BaseURL}}/rest/products/search?q={{value}}"
- "{{BaseURL}}/rest/track-order/{{value}}"

Example

- "{{BaseURL}}/api/search?q="
- "{{BaseURL}}/api/products?search="
- "{{BaseURL}}/api/items?search="
- "{{BaseURL}}/api/categories?search="
- "{{BaseURL}}/api/reviews?search="
- "{{BaseURL}}/search?q="
- "{{BaseURL}}/api/v1/search?q="
- "{{BaseURL}}/api/v2/search?q="
- "{{BaseURL}}/rest/products/search?q="

Path Addition Guidelines

  • Only include paths corresponding to features commonly found in e-commerce applications (orders, products, search, cart, reviews, etc.) — add only paths relevant to the functionality your endpoint covers.
  • Paths specific to a particular framework or solution should be appended at the bottom separately, just like the Juice Shop-specific paths.

Inline Comments

  • Do not add unnecessary explanatory comments in the middle of the code.
  • If there are multiple http blocks, add a single-line comment describing the role of each block.
http:

  # HIGH: Executable tags with event handlers found unescaped in JSON fields
  - method: GET
    ...

  # MEDIUM: Formatting tags found unescaped in JSON fields
  - method: GET
    ...

Full Template Example

# ==============================================================================
# [TEMPLATE] JSON API HTML Injection / XSS Risk Detection
# ==============================================================================
# USAGE:
#   nuclei -t json-api-html-injection.yaml -u {TARGET_URL}
#   nuclei -t json-api-html-injection.yaml -l {TARGET_LIST_FILE}
#
# OPTIONS:
#   -u  {TARGET_URL}        : Single target URL (e.g., http://192.168.1.10:3000)
#   -l  {TARGET_LIST_FILE}  : Path to a file containing a list of target URLs (e.g., targets.txt)
#   -o results/json-api-html-injection.json : Output file path
#   -json                   : Output results in JSON format (recommended for agent parsing)
#   -severity medium,high   : Filter by specific severity level
#
# EXAMPLE:
#   nuclei -t json-api-html-injection.yaml -u http://example.com -o results/json-api-html-injection.json -json
# ==============================================================================

id: json-api-html-injection

info:
  name: XSS Risk - Unescaped HTML in JSON API Response Fields
  author: Hoyoung Lee
  severity: medium
  description: |
    Detects unescaped HTML tags in JSON API response fields that may lead to
    DOM-based XSS when rendered by SPA frameworks (Angular, React, Vue) using
    innerHTML, dangerouslySetInnerHTML, or bypassSecurityTrustHtml.

    Detection Logic:
    - HIGH: Executable tags (<script>, <iframe>, <img>, <svg>, etc.) with event
      handlers or src/href attributes found unescaped in JSON string fields.
    - MEDIUM: Formatting tags (<a>, <em>, <b>, <div>, etc.) found unescaped in
      JSON string fields, indicating potential unsafe rendering patterns.
  tags: xss,dom-xss,json-api,spa,html-injection,unescaped-html

http:

  # HIGH: Executable tags with event handlers / src / href found unescaped in JSON fields
  - method: GET
    path:
      - "{{BaseURL}}/api/search?q="
      - "{{BaseURL}}/api/products?search="
      - "{{BaseURL}}/api/items?search="
      - "{{BaseURL}}/api/categories?search="
      - "{{BaseURL}}/api/reviews?search="
      - "{{BaseURL}}/search?q="
      - "{{BaseURL}}/api/v1/search?q="
      - "{{BaseURL}}/api/v2/search?q="
      - "{{BaseURL}}/rest/products/search?q="
    ...

Git Directory Structure

Place your YAML files under the Vuln_template directory, organized by vulnerability category:

Vuln_template/
└── {vulnerability-category}/
    └── {template-name}.yaml

Create a directory named after your vulnerability category under Vuln_template, then place your YAML file inside it.

Git Commit Message Convention

Use only the subject line — no description body.

Format:

{type}: {short summary}

Example:

feat: add XSS detection template for JSON API response fields

Common types: feat, fix, docs, refactor, test, chore