Securing Nuclei

[AgoraSecurity]

Hello!

I plan to use Nuclei as an internal service doing regular scans (daily, for example).

I have a concern that this service will be very powerful since it will require access to every service it plans to scan.

If an attacker compromise this service (or Nuclei binaries gets compromised, a malicious template gets pushed, etc.)

How can I secure it?
I read about the Template Signing & Verification.

What additional steps can I take to reduce the risk this new service will represent?

[MetzinAround]

We appreciate the concern for how to stay safe; that's the type of attitude that makes the internet safer for everyone. I think I can answer one of your questions:

If you're worried about malicious templates being pushed, you can always wait to run new templates until you've had time to vet them. That way, you know exactly what the templates that are running are capable of. Additionally, you can avoid running a scan with all templates and only run templates you approve by creating a custom workflow that uses only specified templates. (https://docs.nuclei.sh/template-guide/workflows) That's a small step that ensures that you're only running the templates your team approves of.

[tarunKoyalwar]

@AgoraSecurity,
Nuclei provides two sandbox / security options in CLI and SDK:

• -lna => This option when used, disables local network access
• -lfa => This option, when used, allows local file access (full file system access) [it is disabled by default]

Additionally, template signing & verification can also be used for a whitelisting approach to allow templates.

Since Nuclei is primarily built as CLI, there are various details to consider when using Nuclei as a service. This is why we have the ProjectDiscovery Cloud Platform. This cloud platform includes an API for scanning, among other things. Therefore, it might be beneficial to explore the ProjectDiscovery Cloud Platform first