Skip to main content
JavaScript protocol templates allow you to write custom protocol logic using Nuclei’s JavaScript runtime, enabling complex interactions with services that don’t fit standard protocols.

Basic JavaScript request

id: basic-javascript

info:
  name: Basic JavaScript Protocol
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/ssh");
      var c = m.SSHClient();
      var response = c.ConnectSSHInfoMode(Host, Port);
      to_json(response);
    
    args:
      Host: "{{Host}}"
      Port: "22"
    
    extractors:
      - type: json
        json:
          - '.ServerID.Raw'

JavaScript components

Code

code
string
required
JavaScript code to execute. Has access to Nuclei’s built-in libraries.
javascript:
  - code: |
      var result = "Hello from JavaScript";
      to_json({message: result});

Arguments

args
object
Arguments passed to the JavaScript code. Can use template variables.
javascript:
  - code: |
      Host;  // Accessible as variable
      Port;  // Accessible as variable
    args:
      Host: "{{Host}}"
      Port: "{{Port}}"

Init

init
string
Initialization code executed once during template compilation.
javascript:
  - init: |
      var payloads = [];
      for (var i = 0; i < 10; i++) {
        payloads.push("payload" + i);
      }
    
    code: |
      // Use payloads array here
      to_json({count: payloads.length});

Pre-condition

pre-condition
string
JavaScript expression evaluated before running the template.
javascript:
  - pre-condition: |
      Port == 22 || Port == 2222
    
    code: |
      // Only runs if pre-condition is true

Available libraries

Nuclei provides JavaScript libraries for common protocols:

SSH library

id: ssh-fingerprint

info:
  name: SSH Server Fingerprint
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/ssh");
      var c = m.SSHClient();
      var response = c.ConnectSSHInfoMode(Host, Port);
      to_json(response);
    
    args:
      Host: "{{Host}}"
      Port: "22"
    
    extractors:
      - type: json
        name: ssh_version
        json:
          - '.ServerID.Raw'

VNC library

id: vnc-detection

info:
  name: VNC Service Detection
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/vnc");
      var c = m.VNCClient();
      var response = c.GetServerInfo(Host, Port);
      to_json(response);
    
    args:
      Host: "{{Host}}"
      Port: "5900"

Network library

id: tcp-connect

info:
  name: TCP Connection Test
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/net");
      var c = m.Open("tcp", Host + ":" + Port);
      c.Send("PING\\n");
      var response = c.RecvString();
      to_json({response: response});
    
    args:
      Host: "{{Host}}"
      Port: "8080"

Example: Redis password brute force

id: redis-brute

info:
  name: Redis Password Brute Force
  author: pdteam
  severity: high

javascript:
  - code: |
      var m = require("nuclei/redis");
      var c = m.RedisClient();
      var result = c.Connect(Host, Port, Password);
      to_json(result);
    
    args:
      Host: "{{Host}}"
      Port: "6379"
      Password: "{{password}}"
    
    payloads:
      password:
        - admin
        - password
        - redis
        - 123456
    
    threads: 5
    
    matchers:
      - type: word
        words:
          - '"connected":true'

Example: MySQL connection test

id: mysql-connect

info:
  name: MySQL Connection Test
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/mysql");
      var c = m.MySQLClient();
      var info = c.GetServerInfo(Host, Port);
      to_json(info);
    
    args:
      Host: "{{Host}}"
      Port: "3306"
    
    extractors:
      - type: json
        json:
          - '.Version'
          - '.Protocol'

Example: PostgreSQL detection

id: postgres-detect

info:
  name: PostgreSQL Server Detection
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/postgres");
      var c = m.PGClient();
      var info = c.Connect(Host, Port, Username, Password);
      to_json(info);
    
    args:
      Host: "{{Host}}"
      Port: "5432"
      Username: "postgres"
      Password: ""

Multi-port testing

id: multi-port-service

info:
  name: Multi-Port Service Detection
  author: pdteam
  severity: info

javascript:
  - code: |
      var m = require("nuclei/net");
      var c = m.Open("tcp", Host + ":" + Port);
      var response = c.RecvString();
      to_json({port: Port, banner: response});
    
    args:
      Host: "{{Host}}"
      Port: "{{port}}"
    
    payloads:
      port:
        - 21
        - 22
        - 23
        - 25
        - 80
        - 443
    
    threads: 10

JavaScript matchers

matchers:
  # Word matcher
  - type: word
    words:
      - '"success":true'
  
  # JSON matcher
  - type: json
    json:
      - '.connected == true'
  
  # DSL matcher
  - type: dsl
    dsl:
      - 'contains(response, "admin")'

JavaScript extractors

extractors:
  # JSON extractor
  - type: json
    name: server_version
    json:
      - '.version'
      - '.build'
  
  # Regex extractor
  - type: regex
    name: banner
    regex:
      - '"banner":"(.+?)"'
    group: 1

Next steps

Code protocol

Execute external code

File protocol

Local file scanning

Build docs developers (and LLMs) love

Get started for freeTalk to us