Matchers
Matchers allow different type of flexible comparisons on protocol responses. They are what makes nuclei so powerful, checks are very simple to write and multiple checks can be added as per need for very effective scanning.Types
Multiple matchers can be specified in a request. There are basically 7 types of matchers:Matcher Type | Part Matched |
---|---|
status | Integer Comparisons of Part |
size | Content Length of Part |
word | Part for a protocol |
regex | Part for a protocol |
binary | Part for a protocol |
dsl | Part for a protocol |
xpath | Part for a protocol |
Response Part | Description | Example |
---|---|---|
content_length | Content-Length Header | content_length >= 1024 |
status_code | Response Status Code | status_code==200 |
all_headers | Unique string containing all headers | len(all_headers) |
body | Body as string | len(body) |
header_name | Lowercase header name with - converted to _ | len(user_agent) |
raw | Headers + Response | len(raw) |
Conditions
Multiple words and regexes can be specified in a single matcher and can be configured with different conditions like AND and OR.- AND - Using AND conditions allows matching of all the words from the list of words for the matcher. Only then will the request be marked as successful when all the words have been matched.
- OR - Using OR conditions allows matching of a single word from the list of matcher. The request will be marked as successful when even one of the word is matched for the matcher.
Matched Parts
Multiple parts of the response can also be matched for the request, default matched part isbody
if not defined.
Example matchers for HTTP response body using the AND condition:
Negative Matchers
All types of matchers also support negative conditions, mostly useful when you look for a match with an exclusions. This can be used by addingnegative: true
in the matchers block.
Here is an example syntax using negative
condition, this will return all the URLs not having PHPSESSID
in the response header.