Skip to content

Seeders

Curl Seeder

protocol: curl

The Curl Seeder allows you to inject requests using curl command syntax at scan start.

Format: Standard curl command

When to use:

  • You have a working curl command
  • Quick prototyping
  • Converting from browser/Postman exports
  • Complex requests you've already tested

Timing: Runs at scan start (with hotstart) Binding: Only runs when custom rule is enabled

Basic Example

seed:
  - protocol: curl
    curl: 'curl https://example.com/api/users'

POST with Data

seed:
  - protocol: curl
    user: admin
    curl: 'curl -X POST https://example.com/api/users -H "Content-Type: application/json" -d ''{"name": "John Doe"}'''

With Headers

seed:
  - protocol: curl
    curl: 'curl https://example.com/api/data -H "X-API-Key: test123" -H "X-Custom: value"'

From Browser/Postman

Most browsers and Postman can export as curl - copy and use directly:

seed:
  - protocol: curl
    user: admin
    curl: 'curl ''https://api.example.com/graphql'' -H ''Content-Type: application/json'' --data-raw ''{"query":"{ users { id name } }"}'''

Common Use Cases

  • Quick testing of known endpoints
  • Import from browser developer tools
  • Reuse existing curl scripts
  • Prototype before converting to REST format

Tip: Export curl from browser DevTools (Network tab → Right-click → Copy as cURL) for fastest setup.

Properties

  • user: The user to use for the request. If not provided, the request is sent without authentication.
  • curl: The curl command to use for the request.

REST Seeder

protocol: rest

The REST Seeder allows you to inject REST API requests at scan start with automatic host adaptation.

Format: Structured REST parameters (path, method, headers, body, params)

When to use:

  • Standard REST API endpoints
  • Simple parameter passing
  • Automatic host/scheme from scan target
  • Quick endpoint testing

Timing: Runs at scan start (with hotstart) Binding: Only runs when custom rule is enabled Auto-Fill: Host and scheme automatically set from scan target

Basic Example

seed:
  - protocol: rest
    path: /api/users
    method: GET

POST with Body

seed:
  - protocol: rest
    path: /api/users
    method: POST
    headers:
      Content-Type: application/json
    body: '{"name": "John Doe", "email": "john@example.com"}'
    user: admin

With Query Parameters

seed:
  - protocol: rest
    path: /api/search
    method: GET
    params:
      q: admin
      limit: 100
    user: regular_user

Test Debug Endpoint

seed:
  - protocol: rest
    path: /api/debug/info
    method: GET
detect:
  - if: helpers.response.is_successful
    is: true
  - if: response.body.json
    jq: '.debug_mode == true or .secrets != null'
alert:
  name: Debug Endpoint Exposed
  severity: MEDIUM

Create Test Data

seed:
  - protocol: rest
    path: /api/products
    method: POST
    user: admin
    body: '{"name": "Test Product", "price": 0.01}'
detect:
  - if: helpers.response.is_successful
    is: true

Tip: This is the easiest seeder for standard REST endpoints. Host is automatically filled from your scan configuration.

Properties

  • user: The user to use for the request. If not provided, the request is sent without authentication.
  • path: The path to use for the request.
  • method: The method to use for the request.
  • headers: The headers to use for the request. The key is the header name and the value is the header value.
  • body: The body to use for the request.
  • params: parameters to use for the request. The key is the parameter name and the value is the parameter value.

RAW HTTP Seeder

protocol: http

The RAW HTTP Seeder allows you to inject custom HTTP requests at the start of the scan using raw HTTP format.

Format: Nuclei-style raw HTTP requests with @Host directive

When to use:

  • Full control over request format
  • Custom or non-standard headers
  • Testing external hosts (environment isolation)
  • Complex HTTP requests

Timing: Runs at scan start (with hotstart) Binding: Only runs when custom rule is enabled

Basic Example

seed:
  - protocol: http
    raw: |
      @Host: https://example.com
      GET /debug HTTP/1.1
      Host: example.com
      Content-Type: application/json

With Authentication

seed:
  - protocol: http
    user: admin  # Uses admin authentication from scan config
    raw: |
      @Host: https://example.com
      POST /api/admin/action HTTP/1.1
      Host: example.com

Test Environment Isolation

Check if internal APIs are accessible:

seed:
  - protocol: http
    raw: |
      @Host: https://internal-api.company.com
      GET /api/data HTTP/1.1
      Host: internal-api.company.com
detect:
  - if: helpers.response.is_successful
    is: true
alert:
  name: Internal API Accessible
  context: Production environment can access internal APIs
  severity: HIGH

GraphQL Request

seed:
  - protocol: http
    user: admin
    raw: |
      @Host: https://api.example.com
      POST /graphql HTTP/1.1
      Host: api.example.com
      Content-Type: application/json

      {"query": "query { debugInfo { secrets } }"}

Tip: Use this when you need complete control or test external hosts. For standard REST, use the rest seeder instead.

Properties

  • user: The user to use for the request. If not provided, the request is sent without authentication.
  • raw: The raw HTTP request in Nuclei format.