23 and Me: Offensive DNA and Nuclei Templates

by Nathan Sportsman on March 15, 2022

As part of our launch of the Chariot platform, we have developed twenty-three Nuclei templates to identify new issues or exposures within external attack surfaces that we want to share back with the security community. Nuclei is an extremely powerful vulnerability scanner from ProjectDiscovery that leverages a YAML-based domain-specific language to represent vulnerabilities. Nuclei is one of the tools we leverage within the Chariot Identify and Chariot Attack platform modules to perform dynamic security testing and identify misconfigured or exposed services.

Why use Nuclei over a Custom Solution?

At Praetorian, we generally try to avoid reinventing the wheel. Instead, we try to leverage and contribute back to existing solutions whenever they exist and effectively solve the problem we are trying to address. Nuclei fit this description for our use-case with the community behind the tool’s development and the corresponding community contributed templates. Moreover, by throwing our support into the community, we feel like we can help the state of security more broadly, and that’s good for everyone.

Why twenty-three Nuclei templates?

Before discussing the templates we developed, you may wonder why we created exactly twenty-three templates? This is because our launch date corresponds with the Ides of March, the day Julius Caesar was assassinated by a group of Roman senators (stabbed with twenty-three separate blades). However, we’ve actually been contributing new templates back to Nuclei for quite some time prior to the official launch date of the product – these twenty-three are just our little way of giving back to the community on launch day.

Analysis of the Twenty-Three Nuclei Templates

When building out Nuclei templates, our recent focus has been on improving our ability to identify and detect Internet-facing applications automatically. One of the core value propositions of the Chariot Identify module is the ability to identify opportunities to reduce the external attack surface and thus the risk of an external compromise. For example, exposing specific applications like Grafana to the Internet poses a threat even if the system is not exploitable during a point-in-time analysis.

Sponsorships Available

Often, a vulnerability may not be present during a point-in-time external penetration test, but later a vulnerability will be disclosed in the application. Reducing the external attack surface by placing these applications behind an identity-aware proxy or the corporate VPN significantly reduces the risk of external to internal compromise. As such, the vast majority of our new twenty-three Nuclei templates are focused on identifying new types of web applications (eighteen of the twenty-three to be precise).

Additionally, cataloging customer applications accurately informs the work done as part of our Chariot Attack module. For example, detecting all externally-facing instances of Grafana across all customers allows us to identify potentially vulnerable hosts when new vulnerabilities are released quickly using retroactive analysis of the data collected previously.

The remaining five templates are composed of three templates focused on exploits for known-vulnerabilities or issues and two templates focused on the token-spraying capabilities of Nuclei.

Token spraying is particularly interesting as we plan to combine this with our machine-learning based mechanisms for identifying secrets in code (and eventually from other sources such as externally accessible JavaScript files) to actually verify these tokens are valid or automatically identify the service they correspond to.

For the exploit related templates, the first template is focused on testing for the Log4j vulnerability in the Code42 risk management application. This is one of the applications we identified as being vulnerable to Log4j while performing free scanning for Log4j using our attack surface management platform. The remaining two templates check for an XSS and an open redirect issue in the HTTPBin application. HTTPBin is an application used to test HTTP client libraries.

However, we have seen this application unintentionally exposed externally on customer environments. Mostly, the open redirect and XSS issues are useful for conducting phishing attacks as the instances where we have found this application were hosted under a trusted subdomain. We’ve had a significant amount of success on red team engagements leveraging cross-site scripting and open-redirection issues for customized phishing attacks.

Creating a Flywheel between Product and Services

One of our key focus areas when developing modules for the Chariot platform is leveraging our offensive-security expertise gained through conducting numerous red team operations and other security tests to inform the security value-add of our product offerings. We believe that this offensive security expertise differentiates us from a purely product-focused company. Fundamentally, this places us extremely close to the core problems our customers face through our day to day offensive security engagements. Understanding the problem better allows us to build new products and managed services that actually solve the problems our customers face.

Nuclei’s templating language makes it incredibly easy for our professional services engineers to create new Nuclei templates for vulnerabilities we identify during red team engagements or external penetration tests. With Nuclei, we can then create a flywheel effect between our professional services teams and our product teams by capturing our offensive security expertise from real-world offensive security engagements within Nuclei templates.

Conclusion

At Praetorian, we are continually focused on solving customer’s cybersecurity problems through the creation of new professional services offerings, managed services offerings, and product offerings. Free and open source software remains a core-focus of our approach as we work to ensure that all organizations have the tooling and capabilities to effectively secure their environments. We look forward to continuing to contribute new Nuclei templates and supporting and releasing new open source tooling as we continue to work towards this goal.