Review details on template signing for Nuclei
nuclei
and sign their custom templates with their private key, thus ensuring that only authorized templates are being used in their environment.
This also allows entities to fully utilize the power of new protocols like code
without worrying about malicious custom templates being used in their environment.
NOTE:
code
.source: protocols/code/pyfile.py
) are allowed and content of these files is included in the template digest.payloads: protocols/http/params.txt
) are not included in the template digest as it is treated as a payload/helper and not actual code that is being executed.-lfa
flag then verification will fail if same template is used without -lfa
flag. (Note this only applies to -lfa
i.e. local file access flag only)nuclei
itself.
When signing a template if key-pair does not exist then Nuclei will prompt user to generate a new key-pair with options.
Note: Passphrase is optional and can be left blank when used private key is encrypted with passphrase using PEMCipherAES256 AlgoOnce a key-pair is generated, you can sign any custom template using
-sign
flag as shown below.
Note: Every time you make any change in your code template, you need to re-sign it to run with Nuclei.
signature:fragment
, where the signature is the digital signature of the template used to verify its integrity, and the fragment is metadata generated by MD5 hashing the public key to disable re-signing of code templates not written by you.
The key-pair generated by Nuclei is stored in two files in the $CONFIG/nuclei/keys directory
, where $CONFIG
is the system-specific config directory. The private key is stored in nuclei-user-private-key.pem, which is encrypted with a passphrase if provided. The public key is stored in nuclei-user.crt, which includes the public key and identifier (e.g., user/org name) in a self-signed certificate.
$CONFIG/nuclei/keys
directory on another user’s machine, or set the NUCLEI_USER_CERTIFICATE
environment variable to the path or content of the public key.
To use the private key, you can copy it to the $CONFIG/nuclei/keys
directory on another user’s machine, or set the NUCLEI_USER_PRIVATE_KEY
environment variable to the path or content of the private key.
HIDE_TEMPLATE_SIG_WARNING
environment variable to true
.
simple-code.yaml
is a code protocol template which is not signed or content of template has been modified after signing which indicates loss of integrity of template.
If you are template writer then you can go ahead and sign the template using -sign
flag and if you are template consumer then you should carefully examine the template before signing it.
Re-signing code templates are not allowed for security reasons?
re-signing code templates are not allowed for security reasons
comes from the Nuclei engine. This error indicates that a code template initially signed by another user and someone is trying to re-sign it.
This measure was implemented to prevent running untrusted templates unknowingly, which might lead to potential security issues.
When you encounter this error, it suggests that you’re dealing with a template that has been signed by another user Likely, the original signer is not you or the team from projectdiscovery.
By default, Nuclei disallows executing code templates that are signed by anyone other than you or from the public templates provided by projectdiscovery/nuclei-templates.
This is done to prevent potential security abuse using code templates.
To resolve this error: