Custom Rules Reference
APICustomRule¶
Objects¶
APIExtractor¶
APILogicalAndDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
and* | List[APILogicalAndDetector,APILogicalNotDetector,APILogicalOrDetector,FingerprintCountDetector,FingerprintsSameDetector,HelpersRequestCrudDetector,HelpersResponseIsSuccessfulDetector,JSONMatchesAllDetector,JSONMatchesCountDetector,RegexMatchesAllDetector,RegexMatchesCountDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestMethodDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector,VariableDefinedDetector] | Logical and on a list of detectors | |
if* | Const[and] | and | Use this to apply a logical and on a list of detectors.### Exampleyamldetect: - if: and and: - if: helpers.request.crud in: - CREATE - UPDATE - if: response.status_code is: 200 |
APILogicalNotDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[not] | not | Use this to apply a logical not on a detector.### Exampleyamldetect: - if: not not: if: response.status_code is: 200 |
not | APILogicalAndDetector, APILogicalNotDetector, APILogicalOrDetector, FingerprintCountDetector, FingerprintsSameDetector, HelpersRequestCrudDetector, HelpersResponseIsSuccessfulDetector, JSONMatchesAllDetector, JSONMatchesCountDetector, RegexMatchesAllDetector, RegexMatchesCountDetector, RequestBodyJSONDetector, RequestBodyTextDetector, RequestHeadersDetector, RequestIsAuthenticatedDetector, RequestMethodDetector, RequestObjectDetector, RequestUserDetector, ResponseBodyJSONDetector, ResponseBodyTextDetector, ResponseDurationDetector, ResponseHeadersDetector, ResponseObjectDetector, ResponseStatusCodeDetector, ScanTypeDetector, SchemaNeedAuthenticationDetector, SchemaPathRefDetector, SchemaUrlDetector, VariableDefinedDetector | null | Logical not of a detector |
APILogicalOrDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[or] | or | Use this to apply a logical or on a list of detectors.### Exampleyamldetect: - if: or or: - if: helpers.request.crud in: - CREATE - UPDATE - if: response.status_code is: 200 |
or* | List[APILogicalAndDetector,APILogicalNotDetector,APILogicalOrDetector,FingerprintCountDetector,FingerprintsSameDetector,HelpersRequestCrudDetector,HelpersResponseIsSuccessfulDetector,JSONMatchesAllDetector,JSONMatchesCountDetector,RegexMatchesAllDetector,RegexMatchesCountDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestMethodDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector,VariableDefinedDetector] | Logical or on a list of detectors |
AlertModel¶
| Property | Type | Default | Description |
|---|---|---|---|
category | CustomRuleCategory | CUSTOM | Category of the alert |
compliance | Compliance | null | Compliance standards violated by this alert |
context* | string | Context of the alert | |
description | string | null | Description of the alert |
name* | string | Name of the alert | |
remediation | string | null | Remediation of the alert |
severity* | CustomRuleSeverity | Severity of the alert |
BaseStringMutate¶
| Property | Type | Default | Description |
|---|---|---|---|
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
Compliance¶
| Property | Type | Default | Description |
|---|---|---|---|
cra | string | null | |
cwe | string | null | |
dora | string | null | |
fedramp | string | null | |
gdpr | string | null | |
hipaa | string | null | |
hitrust_csf | string | null | |
iec62443 | string | null | |
iso27001 | string | null | |
mitre_attack | string | null | |
nis2 | string | null | |
nist | string | null | |
owasp | string | null | |
owasp_asvs | string | null | |
owasp_llm | string | null | |
pci-dss | string | null | |
psd2 | string | null | |
soc2 | string | null | |
wasc | string | null |
CurlSeeder¶
| Property | Type | Default | Description |
|---|---|---|---|
curl* | string | The curl command to use for the request. | |
protocol* | Const[curl] | curl | The Curl Seeder allows you to inject requests using curl command syntax at scan start.Format: Standard curl command**When to use:- You have a working curl command- Quick prototyping- Converting from browser/Postman exports- Complex requests you've already tested**Timing: Runs at scan start (with hotstart)Binding: Only runs when custom rule is enabled### Basic Exampleyamlseed: - protocol: curl curl: 'curl [example.com](https://example.com/api/users')### POST with Datayamlseed: - protocol: curl user: admin curl: 'curl -X POST https://example.com/api/users -H "Content-Type: application/json" -d ''{"name": "John Doe"}'''### With Headersyamlseed: - protocol: curl curl: 'curl [example.com](https://example.com/api/data) -H "X-API-Key: test123" -H "X-Custom: value"'### From Browser/PostmanMost browsers and Postman can export as curl - copy and use directly:yamlseed: - protocol: curl user: admin curl: 'curl ''[api.example.com](https://api.example.com/graphql'') -H ''Content-Type: application/json'' --data-raw ''{"query":"{ users { id name } }"}'''### Common Use Cases- Quick testing of known endpoints- Import from browser developer tools- Reuse existing curl scripts- Prototype before converting to REST format**Tip:** Export curl from browser DevTools (Network tab → Right-click → Copy as cURL) for fastest setup. |
user | string | null | The user to use for the request. If not provided, the request is sent without authentication. |
CustomRuleID¶
| Property | Type | Default | Description |
|---|---|---|---|
FingerprintCountDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
gt | integer | null | Condition is greater than this integer |
if* | Const[helpers.fingerprints.count] | helpers.fingerprints.count | Use this to select and compare the count of unique fingerprints of the current and original response. |
in | List[integer] | null | Condition is in this list of integers (exact match) |
is | integer | null | Condition is this exact integer |
is_not | integer | null | Condition is not this exact integer |
lt | integer | null | Condition is less than this integer |
FingerprintsSameDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[helpers.fingerprints.same] | helpers.fingerprints.same | Use this to determine whether the current and original responses have the same fingerprint. |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
HTTPRAWSeeder¶
| Property | Type | Default | Description |
|---|---|---|---|
protocol* | Const[http] | http | The RAW HTTP Seeder allows you to inject custom HTTP requests at the start of the scan using raw HTTP format.Format: Nuclei-style raw HTTP requests with @Host directive**When to use:- Full control over request format- Custom or non-standard headers- Testing external hosts (environment isolation)- Complex HTTP requests**Timing: Runs at scan start (with hotstart)Binding: Only runs when custom rule is enabled### Basic Example```yamlseed: - protocol: http raw: |
raw* | string | The raw HTTP request in Nuclei format. | |
user | string | null | The user to use for the request. If not provided, the request is sent without authentication. |
HelpersRequestCrudDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[helpers.request.crud] | helpers.request.crud | Use this to select against the detected CRUD operation of the request.### Exampleyamldetect: - if: helpers.request.crud in: - CREATE - UPDATE |
in | List[CustomRuleCrud] | null | Condition is the request is in this list of CRUD operations (exact match) |
is | CustomRuleCrud | null | Condition is the request is this CRUD operation |
is_not | CustomRuleCrud | null | Condition is the request is not this CRUD operation |
HelpersResponseIsSuccessfulDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[helpers.response.is_successful] | helpers.response.is_successful | Use this to check whether the response is successful (2xx status code).Matcher Type: BooleanMatcher**Available Operators:** isValid Values: true, falseThis is a helper that checks if the status code is between 200-299.### Basic Examplesyaml# Match successful responsesdetect: - if: helpers.response.is_successful is: true# Match failed responsesdetect: - if: helpers.response.is_successful is: false### Common Use Cases- Verify mutations succeeded- Detect unauthorized access that returned success- Check if payload bypassed validation- Detect timing-based vulnerabilities (successful response faster/slower)### Combine with Other Detectorsyaml# Unauthenticated mutation succeededdetect: - if: helpers.request.crud is_not: READ - if: request.is_authenticated is: false - if: helpers.response.is_successful is: true |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
JSONMatchesAllDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[helpers.json_matches.all] | helpers.json_matches.all | Use this to determine whether every the current and original responses contain the same JSON fragment. |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
jq | string | Use this to select the exact JSON you want to compare between the current and original response. |
JSONMatchesCountDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
gt | integer | null | Condition is greater than this integer |
if* | Const[helpers.json_matches.count] | helpers.json_matches.count | Use this to count the number of times a JSON match is in the current and original response. |
in | List[integer] | null | Condition is in this list of integers (exact match) |
is | integer | null | Condition is this exact integer |
is_not | integer | null | Condition is not this exact integer |
jq | string | Use this to select the exact JSON you want to compare between the current and original response. | |
lt | integer | null | Condition is less than this integer |
Middleware¶
ObjectMatcher¶
| Property | Type | Default | Description |
|---|---|---|---|
name | StringMatcher | null | Object scalar name to match |
type | ObjectTypeMatcher | null | Object scalar type to match |
value | StringMatcher | null | Object scalar value to match |
ObjectTypeMatcher¶
| Property | Type | Default | Description |
|---|---|---|---|
in | List[OBJECT_TYPE] | null | Object type is in the following list |
is | OBJECT_TYPE | null | Object type is exactly this type |
is_not | OBJECT_TYPE | null | Object type is any this type except this one |
RESTSeeder¶
| Property | Type | Default | Description |
|---|---|---|---|
body | string | null | The body to use for the request. |
headers | Dict[string, string] | null | The headers to use for the request. The key is the header name and the value is the header value. |
method | HTTPMethod | null | The method to use for the request. |
params | Dict[string, string] | null | parameters to use for the request. The key is the parameter name and the value is the parameter value. |
path | string | null | The path to use for the request. |
protocol* | Const[rest] | rest | The REST Seeder allows you to inject REST API requests at scan start with automatic host adaptation.Format: Structured REST parameters (path, method, headers, body, params)When to use:- Standard REST API endpoints- Simple parameter passing- Automatic host/scheme from scan target- Quick endpoint testing**Timing:** Runs at scan start (with hotstart)Binding: Only runs when custom rule is enabled**Auto-Fill:** Host and scheme automatically set from scan target### Basic Exampleyamlseed: - protocol: rest path: /api/users method: GET### POST with Bodyyamlseed: - protocol: rest path: /api/users method: POST headers: Content-Type: application/json body: '{"name": "John Doe", "email": "john@example.com"}' user: admin### With Query Parametersyamlseed: - protocol: rest path: /api/search method: GET params: q: admin limit: 100 user: regular_user### Test Debug Endpointyamlseed: - protocol: rest path: /api/debug/info method: GETdetect: - if: helpers.response.is_successful is: true - if: response.body.json jq: '.debug_mode == true or .secrets != null'alert: name: Debug Endpoint Exposed severity: MEDIUM### Create Test Datayamlseed: - protocol: rest path: /api/products method: POST user: admin body: '{"name": "Test Product", "price": 0.01}'detect: - if: helpers.response.is_successful is: trueTip: This is the easiest seeder for standard REST endpoints. Host is automatically filled from your scan configuration. |
user | string | null | The user to use for the request. If not provided, the request is sent without authentication. |
RegexMatchesAllDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[helpers.regex_matches.all] | helpers.regex_matches.all | Use this to determine whether every the current and original responses match the same regular expression. |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
regex | string | Condition is matched on this regex with fullmatch |
RegexMatchesCountDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
gt | integer | null | Condition is greater than this integer |
if* | Const[helpers.regex_matches.count] | helpers.regex_matches.count | Use this to count the number of times a regex match is in the current and original response. |
in | List[integer] | null | Condition is in this list of integers (exact match) |
is | integer | null | Condition is this exact integer |
is_not | integer | null | Condition is not this exact integer |
lt | integer | null | Condition is less than this integer |
regex | string | Condition is matched on this regex with fullmatch |
RegexReplace¶
| Property | Type | Default | Description |
|---|---|---|---|
pattern* | string | The regex pattern to match. | |
replacement* | string | The replacement, use \1, \2, ... to refer capture groups. | |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
RequestArgument¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
jq | string | null | JQ query to apply to the JSON body. See stedolan.github.io |
key* | Const[request.argument] | request.argument | You can use this extractor to extract an argument from request body as a variable.### ExampleThis example will extract the request argument value if it matches the given scalar and store it in the variable arg.yamlextractors: extract: - key: request.argument variable: 'arg' scalars: - id - uuidThis example will extract the user ID sent in a request body JSON and store it in the variable arg.yamlextractors: extract: - key: request.argument variable: 'arg' jq: '.user.id' |
scalars | List[string] | null | Scalars the argument has to match to be extracted |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
RequestBodyJSONDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[request.body.json] | request.body.json | Use this to select and compare the request body when detected as JSON, using jq-like syntax.### Example 1yamldetect: - if: request.body.json is: id: 42### Example 2yamldetect: - if: request.body.json jq: '.role == admin' |
in | List[Union[Dict[string, object], List[object]]] | null | Condition is in this list of JSON |
is | Union[Dict[string, object], List[object]] | null | Condition is this exact JSON |
is_not | Union[Dict[string, object], List[object]] | null | Condition is not this exact JSON |
jq | string | null | JQ query to match and use as boolean. If use_extraction is True, only this attribute will be parsed (if set). |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
RequestBodyJSONMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
jq | string | null | JQ query to apply to the JSON body. See stedolan.github.io |
key* | Const[request.body.json] | request.body.json | Use this mutator to transform the JSON body of the request using JQ queries.Transformation Language: JQ (see stedolan.github.io)### Basic Transformation```yamltransform: trigger: - if: request.body.json jq: '.role != null' mutate: - key: request.body.json jq: '. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
RequestBodyTextDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
if* | Const[request.body.text] | request.body.text | Use this to select and compare the request body as text, using string compare.### Exampleyamldetect: - if: request.body.text contains: 'password=' |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
RequestBodyTextMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
key* | Const[request.body.text] | request.body.text | You can use this mutator to change the body (as text) of the request before resending it.### Exampleyamltransform: trigger: - if: request.body.text contains: 'hello' mutate: - key: request.body.text values: - 'injection 1' - 'injection 2' - 'injection 3' |
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
RequestCookieExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[request.cookies] | request.cookies | You can use this extractor to extract variables from the request cookies.### ExampleThis example will extract a session cookie sent in request (cookie) and store it in the variable session.yamlextractors: trigger: - if: response.status_code is: 200 extract: - key: request.cookies name: 'session' variable: 'session' |
name* | string | Cookie name to extract from | |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
RequestHeadersDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[request.headers] | request.headers | Use that to select and compare the request headers in a key value dictionary.### Exampleyamldetect: - if: request.headers key: is: 'X-OPERATION' value: is: 'PAY' |
key | StringMatcher | null | Key to match |
value | StringMatcher | null | Value to match |
RequestHeadersMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
delete | boolean | null | Delete the matched headers. |
key* | Const[request.headers] | request.headers | You can use this mutator to change the headers of the request before resending it.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: request.headers name: X-API-version value: 'APIV2' |
name* | string | The header name to match, supports regex. | |
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
RequestIsAuthenticatedDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[request.is_authenticated] | request.is_authenticated | Use this to select whether or not whether the request is authenticated.### Exampleyamldetect: - if: request.is_authenticated is: true |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
RequestMethodDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[request.method] | request.method | Use this to select against the request HTTP Method.### Exampleyamldetect: - if: request.method is: OPTIONS |
in | List[HTTPMethod] | null | Condition is the request is in this list of CRUD operations (exact match) |
is | HTTPMethod | null | Condition is the request is this CRUD operation |
is_not | HTTPMethod | null | Condition is the request is not this CRUD operation |
RequestMethodMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
key* | Const[request.method] | request.method | Use this mutator to change the HTTP method of the request before resending it.Valid HTTP Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD, TRACE### Single Method Mutationyamltransform: trigger: - if: request.method is: GET mutate: - key: request.method value: DELETE### Multiple Methods (Fuzzing)Test multiple HTTP methods - creates one request per method:yamltransform: trigger: - if: helpers.response.is_successful is: true mutate: - key: request.method values: [POST, PUT, DELETE, PATCH]### Common Use Cases- Test for method override vulnerabilities- Force mutation operations (CREATE → DELETE)- Test if GET can perform mutations- Verify method-based authorization### Typical Pattern: Test Unauthorized Deletionyamltransform: trigger: - if: helpers.request.crud is: CREATE - if: request.user is_not: admin mutate: - key: request.method value: DELETEdetect: - if: helpers.response.is_successful is: truealert: name: Unauthorized Deletion via Method Override severity: HIGH |
value | HTTPMethod | null | The value to set. |
values | List[HTTPMethod] | null | The values to set, generates multiple queries. |
RequestObjectDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[request.object] | request.object | Use this to select and compare the detected object scalars (including custom scalars) in the request, with their kind, name and value.### Exampleyamldetect: - if: request.object type: in: - email - phone - street_address |
name | StringMatcher | null | Object scalar name to match |
type | ObjectTypeMatcher | null | Object scalar type to match |
value | StringMatcher | null | Object scalar value to match |
RequestObjectMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
key* | Const[request.object] | request.object | The detected object scalars (including custom scalars) in the request, with their kind, name and value.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: request.object select: type: is: email name: is: 'admin_email' value: regex: .*@escape.tech mutate: regex_replace: pattern: (.*)@escape.tech replacement: \1@attacker.com |
mutate* | BaseStringMutate | ||
select* | ObjectMatcher |
RequestUserDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
if* | Const[request.user] | request.user | Use this to match the configured authentication user for the request.Matcher Type: StringMatcher**Available Operators:** is, is_not, in, containsValues: User names from your scan authentication configurationThe user name must match what you configured in your scan authentication settings.### Basic Examplesyaml# Match specific userdetect: - if: request.user is: admin# Exclude admindetect: - if: request.user is_not: admin# Match any privileged userdetect: - if: request.user in: [admin, superuser, moderator]### Common Use Cases- Test authorization boundaries- Ensure non-admin users can't access admin endpoints- Verify privilege escalation isn't possible- Different behavior based on user role### Typical Patternsyaml# Non-admin delete succeeded (authorization issue)detect: - if: helpers.request.crud is: DELETE - if: request.user is_not: admin - if: helpers.response.is_successful is: true |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
RequestUserMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
drop_user | boolean | null | Remove the user authentication from the request. |
key* | Const[request.user] | request.user | Use this mutator to change the authenticated user of the request before resending it.User Values: Must match user names from your scan authentication configuration.### Change Useryamltransform: trigger: - if: request.user is: regular_user mutate: - key: request.user value: admin### Remove Authenticationyamltransform: trigger: - if: request.is_authenticated is: true mutate: - key: request.user drop_user: true### Test Multiple Users (Fuzzing)yamltransform: trigger: - if: helpers.response.is_successful is: true mutate: - key: request.user values: [admin, moderator, superuser]### Common Use Cases- Test privilege escalation vulnerabilities- Verify authorization checks are enforced- Test horizontal authorization (user A accessing user B's data)- Remove authentication to test unauthenticated access### Typical Pattern: Privilege Escalation Testyamltransform: trigger: - if: request.user is: regular_user - if: helpers.response.is_successful is: true mutate: - key: request.user value: admindetect: - if: helpers.response.is_successful is: true - if: helpers.fingerprints.same is: false # Response changed with adminalert: name: Privilege Escalation context: Regular user got different response when replayed as admin severity: CRITICAL |
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
ResponseBodyJSONDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[response.body.json] | response.body.json | Use this to select and compare the response body when detected as JSON, using jq-like syntax.### Example 1yamldetect: - if: response.body.json is: id: 42### Example 2yamldetect: - if: response.body.json jq: '.role == admin' |
in | List[Union[Dict[string, object], List[object]]] | null | Condition is in this list of JSON |
is | Union[Dict[string, object], List[object]] | null | Condition is this exact JSON |
is_not | Union[Dict[string, object], List[object]] | null | Condition is not this exact JSON |
jq | string | null | JQ query to match and use as boolean. If use_extraction is True, only this attribute will be parsed (if set). |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
ResponseBodyJSONExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
jq* | string | JQ query to apply to the JSON body. See stedolan.github.io | |
key* | Const[response.body.json] | response.body.json | You can use this extractor to extract variables from the response body JSON.### ExampleThis example will extract the user ID from the response body JSON and store it in the variable user_id.yamlextractors: trigger: - if: response.status_code is: 200 extract: - key: response.body.json jq: '.user.id' variable: 'user_id' |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ResponseBodyTextDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
if* | Const[response.body.text] | response.body.text | Use this to select and compare the response body as text, using string compare.### Exampleyamldetect: - if: request.body.text is_not: 'unauthorized' |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
ResponseBodyTextExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[response.body.text] | response.body.text | You can use this extractor to extract variables from the response body text.### ExampleThis example will extract the response body text and store it in the variable body_data.yamlextractors: trigger: - if: response.status_code is: 200 extract: - key: response.body.text variable: 'body_data' |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ResponseCookieExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[response.cookies] | response.cookies | You can use this extractor to extract variables from the response cookies.### ExampleThis example will extract a session cookie returned in response (set-cookie) and store it in the variable session.yamlextractors: trigger: - if: response.status_code is: 200 extract: - key: response.cookies name: 'session' variable: 'session' |
name* | string | Cookie name to extract from | |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ResponseDurationDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
gt | integer | null | Condition is greater than this integer |
if* | Const[response.duration_ms] | response.duration_ms | Use this to compare the duration of the request in milliseconds.### Exampleyamldetect: - if: response.duration_ms gt: 200 |
in | List[integer] | null | Condition is in this list of integers (exact match) |
is | integer | null | Condition is this exact integer |
is_not | integer | null | Condition is not this exact integer |
lt | integer | null | Condition is less than this integer |
ResponseDurationExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[response.duration] | response.duration | You can use this extractor to extract the response duration as a variable.### ExampleThis example will extract the response duration and store it in the variable duration.yamlextractors: extract: - key: response.duration variable: 'duration' |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ResponseHeaderExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[response.headers] | response.headers | You can use this extractor to extract variables from the response headers.### ExampleThis example will extract a token from the response header X-Token and store it in the variable x_token.yamlextractors: trigger: - if: response.status_code is: 200 extract: - key: response.headers name: 'X-Token' variable: 'x_token' |
name* | string | Header name to extract from | |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ResponseHeadersDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[response.headers] | response.headers | Use that to select and compare the response headers in a key value dictionary.### Exampleyamldetect: - if: response.headers key: is: 'X-RESULT' value: is: 'PAID' |
key | StringMatcher | null | Key to match |
value | StringMatcher | null | Value to match |
ResponseObjectDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[response.object] | response.object | Use this to select and compare the detected object scalars (including custom scalars) in the response, with their kind, name and value.### Exampleyamldetect: - if: response.object type: in: - email - phone - street_address |
name | StringMatcher | null | Object scalar name to match |
type | ObjectTypeMatcher | null | Object scalar type to match |
value | StringMatcher | null | Object scalar value to match |
ResponseStatusCodeDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
gt | integer | null | Condition is greater than this integer |
if* | Const[response.status_code] | response.status_code | Use this to match against the HTTP response status code.Matcher Type: IntegerMatcher**Available Operators:** is, is_not, gt, gte, lt, lte, inValues: HTTP status codes (100-599)### Basic Examplesyaml# Exact matchdetect: - if: response.status_code is: 200# Range matchdetect: - if: response.status_code gte: 400 - if: response.status_code lt: 500# Multiple status codes (OR)detect: - if: response.status_code in: [200, 201, 204]### Common Use Cases- Match successful responses (200-299)- Detect errors (400-499, 500-599)- Verify specific status codes- Check for redirect responses### Common Patternsyaml# Success codes (use helper instead)detect: - if: helpers.response.is_successful is: true# Client errorsdetect: - if: response.status_code gte: 400 - if: response.status_code lt: 500# Multiple success codesdetect: - if: response.status_code in: [200, 201, 202, 204]Tip: For simple success/failure checks, use helpers.response.is_successful instead. |
in | List[integer] | null | Condition is in this list of integers (exact match) |
is | integer | null | Condition is this exact integer |
is_not | integer | null | Condition is not this exact integer |
lt | integer | null | Condition is less than this integer |
ResponseStatusCodeExtractor¶
| Property | Type | Default | Description |
|---|---|---|---|
accept_null | boolean | false | Whether the extractor should accept null values or not. |
can_overwrite | boolean | true | Whether the extractor can overwrite the variable if it already exists. |
key* | Const[response.status_code] | response.status_code | You can use this extractor to extract the response status code as a variable.### ExampleThis example will extract the response status code and store it in the variable status_code.yamlextractors: extract: - key: response.status_code variable: 'status_code' |
variable* | VariableName | The variable name (Case Insensitive) to store the extracted data. |
ScanTypeDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[scan.type] | scan.type | Use this to match against the type of scan being performed.Matcher Type: ScanTypeMatcher**Available Operators:** is, is_not, inValid Values: REST, GRAPHQL, SOAP, GRPC### Basic Exampleyamldetect: - if: scan.type is: REST### Match Multiple Types (OR Logic)yamldetect: - if: scan.type in: [REST, GRAPHQL]### Common Use Cases- Apply rules only to REST APIs- Skip rules for specific scan types- Different behavior based on protocol |
in | List[CustomRuleScanType] | null | The scan type is in this list |
is | CustomRuleScanType | null | The scan type is exactly this |
is_not | CustomRuleScanType | null | The scan type is not this type |
SchemaNeedAuthenticationDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[schema.need_authentication] | schema.need_authentication | Use this to select whether or not the schema requires authentication.### Exampleyamldetect: - if: schema.need_authentication is: false |
is | boolean | null | Condition is true |
is_not | boolean | null | Condition is false |
SchemaPathRefDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
if* | Const[schema.path_ref] | schema.path_ref | Use this to match the operation name (GraphQL) or the path (REST) of the request.Matcher Type: StringMatcher**Available Operators:** is, is_not, contains, regex, in### Basic Examplesyaml# Exact matchdetect: - if: schema.path_ref is: /api/users# Contains substringdetect: - if: schema.path_ref contains: /admin/# Regex patterndetect: - if: schema.path_ref regex: /api/v[0-9]+/admin/.*### Common Use Cases- Target specific endpoints for testing- Exclude internal/admin paths- Match versioned API endpoints- Group similar paths with regex |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
SchemaPathRefMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
key* | Const[schema.path_ref] | schema.path_ref | You can use this mutator to change the operation name in GraphQL or the path in REST (keeping the domain) before resending it.### Exampleyamltransform: trigger: - if: schema.path_ref is: '/api/v1/tested/route' mutate: - key: schema.path_ref mutate: value: '/api/v2/tested/route' |
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
SchemaUrlDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
if* | Const[schema.url] | schema.url | Use this to string compare the URL of the request.### Example```yamldetect: - if: schema.url regex: .*(internal |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
SchemaUrlMutator¶
| Property | Type | Default | Description |
|---|---|---|---|
key* | Const[schema.url] | schema.url | You can use this mutator to change the URL of the request before resending it.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: schema.url mutate: value: '/api/v2/' |
regex_replace | RegexReplace | null | Regex replace pattern. |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
value | string | null | The value to set. |
values | List[string] | null | The values to set, generates multiple queries. |
StringMatcher¶
| Property | Type | Default | Description |
|---|---|---|---|
contains | string | null | Contains this string |
in | List[string] | null | Condition is in this list (exact match) |
is | string | null | Condition is this exact string |
is_not | string | null | Condition is not this exact string |
regex | string | null | Condition is matched on this regex with fullmatch |
use_extraction | boolean | false | If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing. |
VariableDefinedDetector¶
| Property | Type | Default | Description |
|---|---|---|---|
if* | Const[variable.defined] | variable.defined | Use this to detect if a given variable has been extracted or not yet.### Basic Exampleyamldetect: - if: variable.defined variable_name: user_id### Common Use Cases- Making sure a variable has been already extracted before executing a mutation, a detector or another extraction. |
variable_name* | string | Use this to specify the variable name that has to be defined before proceeding further |
VariableName¶
| Property | Type | Default | Description |
|---|---|---|---|
Enums¶
CustomRuleCategory¶
| Value |
|---|
ACCESS_CONTROL |
CONFIGURATION |
INFORMATION_DISCLOSURE |
INJECTION |
PROTOCOL |
REQUEST_FORGERY |
RESOURCE_LIMITATION |
SENSITIVE_DATA |
SCHEMA |
CUSTOM |
CustomRuleCrud¶
| Value |
|---|
CREATE |
READ |
UPDATE |
DELETE |
CustomRuleScanType¶
| Value |
|---|
GRAPHQL |
REST |
CustomRuleSeverity¶
| Value |
|---|
HIGH |
MEDIUM |
LOW |
INFO |
HTTPMethod¶
| Value |
|---|
CONNECT |
DELETE |
GET |
HEAD |
OPTIONS |
PATCH |
POST |
PUT |
TRACE |
OBJECT_TYPE¶
| Value |
|---|
See Data Types Reference |