Skip to main content
Nuclei provides a comprehensive set of helper functions (also called DSL functions) that can be used in templates for data manipulation, transformation, validation, and computation. These functions are available in matchers, extractors, and variables.

String functions

to_lower(input)
string
Convert string to lowercase.
dsl:
  - "to_lower('HELLO') == 'hello'"
to_upper(input)
string
Convert string to uppercase.
dsl:
  - "to_upper('hello') == 'HELLO'"
contains(input, substring)
boolean
Check if string contains substring.
matchers:
  - type: dsl
    dsl:
      - "contains(body, 'admin')"
starts_with(input, prefix)
boolean
Check if string starts with prefix.
dsl:
  - "starts_with(header, 'HTTP/2')"
ends_with(input, suffix)
boolean
Check if string ends with suffix.
dsl:
  - "ends_with(body, '</html>')"
trim(input)
string
Remove leading and trailing whitespace.
dsl:
  - "trim('  hello  ') == 'hello'"
trim_prefix(input, prefix)
string
Remove prefix from string.
dsl:
  - "trim_prefix('www.example.com', 'www.') == 'example.com'"
trim_suffix(input, suffix)
string
Remove suffix from string.
extractors:
  - type: dsl
    name: domain
    dsl:
      - "trim_suffix(cname, '.vercel-dns.com')"
replace(input, old, new)
string
Replace all occurrences of old with new.
dsl:
  - "replace(body, 'http://', 'https://')"
len(input)
integer
Get length of string or array.
dsl:
  - "len(body) > 1000"
concat(str1, str2, ...)
string
Concatenate multiple strings.
dsl:
  - "concat('https://', host, ':', port)"

Encoding functions

base64(input)
string
Base64 encode string.
variables:
  encoded: "{{base64('admin:password')}}"
base64_decode(input)
string
Base64 decode string.
dsl:
  - "base64_decode('YWRtaW46cGFzc3dvcmQ=')"
urlencode(input)
string
URL encode string.
dsl:
  - "urlencode('<script>alert(1)</script>')"
urldecode(input)
string
URL decode string.
dsl:
  - "urldecode('%3Cscript%3E')"
html_escape(input)
string
HTML encode string.
dsl:
  - "html_escape('<img src=x>')"
html_unescape(input)
string
HTML decode string.
dsl:
  - "html_unescape('&lt;img&gt;')"
hex_encode(input)
string
Hex encode string.
dsl:
  - "hex_encode('admin')"
hex_decode(input)
string
Hex decode string.
dsl:
  - "hex_decode('61646d696e')"

Hashing functions

md5(input)
string
Calculate MD5 hash.
dsl:
  - "md5(body) == '5d41402abc4b2a76b9719d911017c592'"
sha1(input)
string
Calculate SHA1 hash.
dsl:
  - "sha1('password')"
sha256(input)
string
Calculate SHA256 hash.
dsl:
  - "sha256(body)"
sha512(input)
string
Calculate SHA512 hash.
dsl:
  - "sha512(input)"
mmh3(input)
string
Calculate MurmurHash3 hash.
dsl:
  - "mmh3(body)"

Regex functions

regex(pattern, input)
boolean
Check if input matches regex pattern.
dsl:
  - "regex('\\d+\\.\\d+\\.\\d+', body)"

Numeric functions

rand_int(min, max)
integer
Generate random integer between min and max.
variables:
  random_id: "{{rand_int(1000, 9999)}}"
unixtime()
integer
Get current Unix timestamp.
variables:
  timestamp: "{{unixtime()}}"

Random data functions

randstr(length)
string
Generate random alphanumeric string of specified length.
variables:
  nonce: "{{randstr(16)}}"
rand_text_alphanumeric(length)
string
Generate random alphanumeric text.
payloads:
  random: "{{rand_text_alphanumeric(10)}}"
rand_text_alpha(length)
string
Generate random alphabetic text.
variables:
  random_alpha: "{{rand_text_alpha(8)}}"
rand_text_numeric(length)
string
Generate random numeric text.
variables:
  random_num: "{{rand_text_numeric(6)}}"
rand_base64(length)
string
Generate random base64 encoded string.
variables:
  random_b64: "{{rand_base64(20)}}"

Response data functions

status_code
integer
HTTP response status code.
dsl:
  - "status_code == 200"
content_length
integer
HTTP response content length.
dsl:
  - "content_length > 1000"
duration
integer
Request duration in milliseconds.
dsl:
  - "duration < 500"
body
string
HTTP response body.
dsl:
  - "contains(body, 'success')"
header
map
HTTP response headers as map.
dsl:
  - "header['Server'] == 'nginx'"
all_headers
string
All HTTP response headers concatenated.
dsl:
  - "contains(tolower(all_headers), 'x-powered-by')"

Real-world examples

id: dsl-matcher-example

info:
  name: Complex DSL Matching
  author: pdteam
  severity: info

http:
  - method: GET
    path:
      - "{{BaseURL}}/package.json"
    
    matchers:
      - type: dsl
        condition: and
        dsl:
          - "contains(body, 'packages')"
          - "contains(tolower(all_headers), 'application/octet-stream')"
          - "status_code == 200"
          - "content_length < 100000"

Combining functions

Helper functions can be nested and combined: 
dsl:
  - "contains(to_lower(body), 'admin')"
  - "len(trim(header['Server'])) > 0"
  - "base64(to_upper(concat('user:', username)))"
  - "md5(base64_decode(cookie))"

Best practices

  1. Use appropriate functions - Choose the right function for the task (e.g., contains() vs regex())
  2. Chain functions efficiently - Combine functions to avoid multiple operations
  3. Validate before transforming - Check data exists before applying transformations
  4. Use case-insensitive comparisons - Apply to_lower() or to_upper() for reliable matching
  5. Cache expensive operations - Store computed values in variables
  6. Test DSL expressions - Verify complex DSL logic with known inputs
  7. Document complex logic - Add comments for non-obvious DSL expressions

Common patterns

Validate and extract

matchers:
  - type: dsl
    dsl:
      - "regex('[0-9]+\\.[0-9]+\\.[0-9]+', body)"

extractors:
  - type: dsl
    dsl:
      - "regex('[0-9]+\\.[0-9]+\\.[0-9]+', body)"

Normalize and compare

dsl:
  - "to_lower(trim(header['Server'])) == 'nginx'"

Multiple conditions

matchers:
  - type: dsl
    condition: and
    dsl:
      - "status_code >= 200 && status_code < 300"
      - "content_length > 0"
      - "duration < 1000"
      - "!contains(body, 'error')"

Hash-based detection

matchers:
  - type: dsl
    dsl:
      - "md5(body) == '5d41402abc4b2a76b9719d911017c592'"
      - "sha256(body) == 'known_malicious_hash'"

Performance considerations

Some helper functions are computationally expensive:
  • Hashing functions (md5, sha256, etc.) on large responses
  • Regex matching on entire response body
  • Multiple nested function calls
Use these judiciously and consider caching results in variables.

Function categories

  • to_lower, to_upper
  • contains, starts_with, ends_with
  • trim, trim_prefix, trim_suffix
  • replace, concat, len

Matchers

Using DSL in matchers

Extractors

Using DSL in extractors

Variables

Computing variables

Flow Control

JavaScript vs DSL

Build docs developers (and LLMs) love

Get started for freeTalk to us