JavaScript Protocol
Review examples of JavaScript with Nuclei v3
The JavaScript protocol was added to Nuclei v3 to allow you to write checks and detections for exploits in JavaScript and to bridge the gap between network protocols.
- Internally any content written using the JavaScript protocol is executed in Golang.
- The JavaScript protocol is not intended to fit into or be imported with any existing JavaScript libraries or frameworks outside of the Nuclei ecosystem.
- Nuclei provides a set of functions, libraries that are tailor-made for writing exploits and checks and only adds required/necessary functionality to complement existing YAML-based DSL.
- The JavaScript protocol is not intended to be used as a general purpose JavaScript runtime and does not replace matchers, extractors, or any existing functionality of Nuclei.
- Nuclei v3.0.0 ships with 15+ libraries (ssh, ftp, RDP, Kerberos, and Redis) tailored for writing exploits and checks in JavaScript and will be continuously expanded in the future.
Simple Example
Here is a basic example of a JavaScript protocol template:
In the Nuclei template example above, we are fingerprinting SSH server software by connecting in non-auth mode and extracting the server banner. Let’s break down the template.
Code Section
The code:
contains actual JavaScript code that is executed by Nuclei at runtime. In the above template, we are:
- Importing
nuclei/ssh
module/library - Creating a new instance of
SSHClient
object - Connecting to SSH server in
Info
mode - Converting response to json
Args Section
The args:
section can be simply understood as variables in JavaScript that are passed at runtime and support DSL usage.
Output Section
The value of the last expression is returned as the output of JavaScript protocol template and can be used in matchers and extractors. If the server returns an error instead, then the error
variable is exposed in the matcher or extractor with an error message.
SSH Bruteforce Example
SSH Password Bruteforce Template
In the example template above, we are bruteforcing ssh server with a list of usernames and passwords. We can tell that this might not have been possible to achieve with the network template. Let’s break down the template.
Pre-Condition
pre-condition
is an optional section of JavaScript code that is executed before running “code” and acts as a pre-condition to exploit. In the above template, before attempting brute force, we check if:
- The address is actually an SSH server.
- The ssh server is configured to allow password-based authentication.
Further explanation
- If pre-condition returns
true
only thencode
is executed; otherwise, it is skipped. - In the code section, we import
nuclei/ssh
module and create a new instance ofSSHClient
object. - Then we attempt to connect to the ssh server with a username and password. This template uses payloads to launch a clusterbomb attack with 10 threads and exits on the first match.
Looking at this template now, we can tell that JavaScript templates are powerful for writing multistep and protocol/vendor-specific exploits, which is a primary goal of the JavaScript protocol.
Init
init
is an optional JavaScript section that can be used to initialize the template, and it is executed just after compiling the template and before running it on any target. Although it is rarely needed, it can be used to load and preprocess data before running a template on any target.
For example, in the below code block, we are loading all ssh private keys from nuclei-templates/helpers
directory and storing them as a variable in payloads with the name keys
. If we were loading private keys from the “pre-condition” code block, then it would have been loaded for every target, which is not ideal.
Two special functions that are available in the init
block are
Function | Description |
---|---|
updatePayload(key,value) | updates payload with given key and value |
set(key,value) | sets a variable with given key and value |
A collection of JavaScript protocol templates can be found here.
Was this page helpful?