#Authenticated Nuclei scan

Hi Team,

I have a scenario where username and password should be passed to a authentication server, in the response body will get the jwt access token. Using this jwt access token I need to scan another domain with specific paths by passing the jwt token as Authorization bearer token in Request header. Is this possible with the new authentication scan feature possibility

I havent worked with it myself but I have seen others ask and been directed to look at dynamic auth and the info here https://docs.projectdiscovery.io/tools/nuclei/authenticated-scans

Thanks for the reply. I checked the document but I didn't understand whether my scenario would work in this case 😢

Thats fair, just passing it along in case it hadnt been seen and it gave any hints. I really need to spend the time to focus on the auth functionality in nuclei these days. We had to roll our own solution prior to it getting more fleshed out here so I havent had as strong as a need, but now I have two different pipelines and one doesnt have access to my auth data so I will need to one of these days. But for now Id just be grasping in the dark. Hopefully pd folks can fill in the gaps

@kindred wing as per description, it should be possible using dynamic auth section.

# dynamic secrets
dynamic:
    # A example dynamic login of Wordpress using REST API
  - template: /path/to/wordpress-login.yaml
    variables:
      - name: username
        value: pdteam
      - name: password
        value: nuclei-fuzz
    input: auth-server.projectdiscovery.io # optional input/target, not required if target is hardcoded in template
    # once login is successful, this can be used in below templatized static secret
    type: cookie
    domains:
        - .*wp.*projectdiscovery.io
    cookies:
      - raw: "{{wp-global-cookie}}"
      - raw: "{{wp-admin-cookie}}"
      - raw: "{{wp-plugin-cookie}}"

where /path/to/wordpress-login.yaml can you be your template to generate jwt token that you wanted to use with scan.

cc @fallow palm ^

You can also check out this blog about the feature here: https://blog.projectdiscovery.io/scanning-login-protected-targets-with-nuclei/

We're also writing a blog starting from 0 and figuring out auth for an application, creating the login.yml and then making it work with templates

So keep an eye out for that

I think this will be very useful for a lot of us

cool thanks, will also go through the documents shared. when i try to authenticate to auth server using a auth.yaml i am getiing invalid request 401 error, I used the -debug to find exact request and response. When i use the same exact request in burp or via curl it results in 200 and getting the token, how can I troubleshoot this

Could be something with the header or the user-agent or something

it was due to new line in the body request, understood when proxied through burp request 😓

hi @fallow palm @lyric hill

I read the article and tried the dynamic auth with below two config

dynamic:

• template: auth-template.yaml
  variables:
  • name: password
    value: [email protected]
  • name: username
    value: test
    type: bearertoken
    domains:
  • api2.test.com token: "{{jwt_token}}"

id: auth-template
info:
name: JWT Authentication
author: janedoe
severity: high
description: Authenticates using username and password to retrieve a JWT token.
requests:

• method: POST
  path:
  • "https://auth.test.com/auth/realms/global/protocol/openid-connect/token"
    headers:
    Host: auth.test.com
    User-Agent: nuclei
    Connection: close
    Accept: "/"
    Accept-Language: en
    Content-Type: application/x-www-form-urlencoded
    Origin: https://www.test.com
    Accept-Encoding: gzip
    body: client_id=login&grant_type=password&password={{password}}&username={{username}}
    matchers:
  • type: status
    status:
    • 200
      extractors:
  • type: regex
    name: jwt_token
    part: body
    regex:
    • '"access_token":"(.*?)"'

but I am getting unresolved variables found: password,username error when i scan this .

I am getting the access_token corretcly If I run auth-template.yaml without passing the variables. How can I troubleshoot this

Hi @lyric hill @fallow palm I tried the same memtioned in article https://blog.projectdiscovery.io/scanning-login-protected-targets-with-nuclei/ like this

nuclei -u https://localhost:8080 -t wordpress-login.yaml -sf secrets.yaml -debug -v

                 __     _

____ __ / / ()
/ __ / / / / / / _ / /
/ / / / // / // / __/ /
// //_,/_/_/_/_/ v3.2.7

    projectdiscovery.io

[VER] Started metrics server at localhost:9092
[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.2.7 (latest)
[INF] Current nuclei-templates version: v9.8.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[WRN] [wordpress-login] Could not make http request for https://localhost:8080: unresolved variables found: username,password
[INF] No results found. Better luck next time!

getting same error Could not make http request for https://localhost:8080: unresolved variables found: username,password

Please help

I guess this is the similar issue posted here https://github.com/projectdiscovery/nuclei/issues/4999

Looks like it

Thanks for the update. @lyric hill Since there is already a issue related to this. I wanted to know if it is possible for direct variable passing between templates in the workflow for the same scenario I tried.

@lyric hill Hello there, I have the same question, I want to scan with Authenticated scan but I get "unresolved variables found: username,password"