Token Spray - Introduction to self-contained template

Token Spray - Introduction to self-contained template

We search for secret leaks in a variety of places including GitHub, JS files, HTTP replies, source code, and other places. Once we've identified these keys, the next question is: what service does this key belong to, and is it valid? Answers to those questions determines the severity of the revealed token.

Keyhacks is a great project that provides valid examples of API requests for a variety of services, making it simple to confirm token authenticity. However, the difficulty arises when the token is unknown and we don't know which services it belongs to 🤔🧐

Token-Spray to automate token validation

We've been exploring what the community is doing with custom templates and various use cases that can be automated using nuclei. A great example is zzeitlin, who created this awesome pull request on GitHub that includes 63 self-contained templates to automate the validity of a given token or list of tokens across multiple APIs/services.

nuclei-templates/README.md at master · projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities. - nuclei-templates/README.md at master · projectdiscovery/nuclei-templates

What is a self-contained template?

A self-contained nuclei template is a stand-alone portable template that does not require any external information to run, such as target or input URLs. All required information can be hardcoded into the template itself.

id: example-self-contained

info:
  name: example-self-contained
  author: pdteam
  severity: info

self-contained: true
requests:
  - raw:
      - |
        GET https://app.target.com/api/users HTTP/1.1
        Host: app.target.com
        Authorization: XXXX

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "success"

Example of a self-contained template


How to run token-spray templates?

We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time.

nuclei -t token-spray/ -var token=XXX_TOKEN_XXX
nuclei -t token-spray/ -var token=token_list.txt

Example of running token-spray templates

Running token-spray templates using wordlist based input

token-spray is a great example of using self-contained templates. It can also be used as part of regression testing for known security issues in an organization since they are portable and can be defined once and integrated into CI/CI pipelines to flag if the issues resurface. This is just one of many use cases for self-contained templates.

If you are using nuclei templates in more creative ways and would like to share them with everyone, or if you have workflows in mind that you would like to implement in the form of template automation, please get in touch with us. You can also join our community discord server and follow pdnuclei for future updates.

Subscribe to our newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!
--