Extractors
Review details on extractors for Nuclei
Extractors can be used to extract and display in results a match from the response returned by a module.
Types
Multiple extractors can be specified in a request. As of now we support five type of extractors.
- regex - Extract data from response based on a Regular Expression.
- kval - Extract
key: value
/key=value
formatted data from Response Header/Cookie - json - Extract data from JSON based response in JQ like syntax.
- xpath - Extract xpath based data from HTML Response
- dsl - Extract data from the response based on a DSL expressions.
Regex Extractor
Example extractor for HTTP Response body using regex -
Kval Extractor
A kval extractor example to extract content-type
header from HTTP Response.
Note that content-type
has been replaced with content_type
because kval extractor does not accept dash (-
) as input and must be substituted with underscore (_
).
JSON Extractor
A json extractor example to extract value of id
object from JSON block.
For more details about JQ - https://github.com/stedolan/jq
Xpath Extractor
A xpath extractor example to extract value of href
attribute from HTML response.
With a simple copy paste in browser, we can get the xpath value form any web page content.
DSL Extractor
A dsl extractor example to extract the effective body
length through the len
helper function from HTTP Response.
Dynamic Extractor
Extractors can be used to capture Dynamic Values on runtime while writing Multi-Request templates. CSRF Tokens, Session Headers, etc. can be extracted and used in requests. This feature is only available in RAW request format.
Example of defining a dynamic extractor with name api
which will capture a regex based pattern from the request.
The extracted value is stored in the variable api, which can be utilised in any section of the subsequent requests.
If you want to use extractor as a dynamic variable, you must use internal: true
to avoid printing extracted values in the terminal.
An optional regex match-group can also be specified for the regex for more complex matches.
The above extractor with name csrf_token
will hold the value extracted by ([[:alnum:]]{16})
as abcdefgh12345678
.
If no group option is provided with this regex, the above extractor with name csrf_token
will hold the full match (by <input name="csrf_token"\stype="hidden"\svalue="([[:alnum:]]{16})" />
) as <input name="csrf_token" type="hidden" value="abcdefgh12345678" />
.
Reusable Dynamic Extractors
With Nuclei v3.1.4 you can now reuse dynamic extracted value (ex: csrf_token in above example) immediately in next extractors and is by default available in subsequent requests
Example: