Skip to content

Custom Rules Reference

CustomRule

Property Type Default Description
alert* AlertModel The alert to raise if the detection conditions are met. See [Alerting]01-alerting.md)
detect* List[CrudDetector,LogicalAndDetector,LogicalNotDetector,LogicalOrDetector,MethodDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseIsSuccessfulDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector] The conditions to trigger the alert. See Detectors
id* string The unique identifier of the custom rule. It is provided by Escape, do not set it manually.
seed List[HTTPRAWSeeder,RESTSeeder] A list of requests to seed the scan. See Seeders
transform Middleware null Defines lists of triggers and mutations (combined with AND operators).See Transformations

Objects

AlertModel

Property Type Default Description
category* CATEGORY Category of the alert
compliance Compliance null Compliance standards violated by this alert
context* string Context of the alert
description string null Description of the alert
name* string Name of the alert
remediation string null Remediation of the alert
severity* SEVERITY Severity of the alert

Compliance

Property Type Default Description
cwe string null
fedramp string null
gdpr string null
hipaa string null
iso27001 string null
nis2 string null
nist string null
owasp string null
owasp_llm string null
pci-dss string null
psd2 string null
soc2 string null

CrudDetector

Property Type Default Description
if* Const[helpers.request.crud] helpers.request.crud Use this to select against the detected CRUD operation of the request.### Exampleyamldetect: - if: helpers.request.crud in: - CREATE - UPDATE
in List[CRUD] null Condition is the request is in this list of CRUD operations (exact match)
is CRUD null Condition is the request is this CRUD operation
is_not CRUD null Condition is the request is not this CRUD operation

HTTPRAWSeeder

Property Type Default Description
protocol* Const[http] http The HTTP seeder allows you to send a request at the start of the scan.This requests will be sent at the same time as the hotstart, the syntax is similar to it butyou can configure for which user the request must be sent.The main difference between this two features it that a seeded request is bound to a custom security check.If you disable a check, the seeded request will not be sent.### Example```yamlseed: - protocol: http raw:
raw* string The raw HTTP request in Nuclei format.
user string null The user to use for the request. If not provided, the request is sent without authentication.

LogicalAndDetector

Property Type Default Description
and* List[CrudDetector,LogicalAndDetector,LogicalNotDetector,LogicalOrDetector,MethodDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseIsSuccessfulDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector] Logical and on a list of detectors
if* Const[and] and Use this to apply a logical and on a list of detectors.### Exampleyamldetect: - if: and and: - if: helpers.request.crud in: - CREATE - UPDATE - if: response.status_code is: 200

LogicalNotDetector

Property Type Default Description
if* Const[not] not Use this to apply a logical not on a detector.### Exampleyamldetect: - if: not not: if: response.status_code is: 200
not CrudDetector, LogicalAndDetector, LogicalNotDetector, LogicalOrDetector, MethodDetector, RequestBodyJSONDetector, RequestBodyTextDetector, RequestHeadersDetector, RequestIsAuthenticatedDetector, RequestObjectDetector, RequestUserDetector, ResponseBodyJSONDetector, ResponseBodyTextDetector, ResponseDurationDetector, ResponseHeadersDetector, ResponseIsSuccessfulDetector, ResponseObjectDetector, ResponseStatusCodeDetector, ScanTypeDetector, SchemaNeedAuthenticationDetector, SchemaPathRefDetector, SchemaUrlDetector null Logical not of a detector

LogicalOrDetector

Property Type Default Description
if* Const[or] or Use this to apply a logical or on a list of detectors.### Exampleyamldetect: - if: or or: - if: helpers.request.crud in: - CREATE - UPDATE - if: response.status_code is: 200
or* List[CrudDetector,LogicalAndDetector,LogicalNotDetector,LogicalOrDetector,MethodDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseIsSuccessfulDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector] Logical or on a list of detectors

MethodDetector

Property Type Default Description
if* Const[request.method] request.method Use this to select against the request HTTP Method.### Exampleyamldetect: - if: request.method is: OPTIONS
in List[HTTP_METHOD] null Condition is the request is in this list of CRUD operations (exact match)
is HTTP_METHOD null Condition is the request is this CRUD operation
is_not HTTP_METHOD null Condition is the request is not this CRUD operation

MethodMutator

Property Type Default Description
key* Const[request.method] request.method You can use this mutator to change the HTTP Method of the request before resending it.### Exampleyamltransform: trigger: - if: helpers.request.crud is: CREATE mutate: - key: request.method value: DELETE
value HTTP_METHOD null The value to set.
values List[HTTP_METHOD] null The values to set, generates multiple queries.

Middleware

Property Type Default Description
mutate* List[MethodMutator,RequestBodyJSONMutator,RequestBodyTextMutator,RequestHeadersMutator,RequestObjectMutator,RequestUserMutator,SchemaPathRefMutator,SchemaUrlMutator] The mutations to apply to the request and replay it. See Mutators
trigger* List[CrudDetector,LogicalAndDetector,LogicalNotDetector,LogicalOrDetector,MethodDetector,RequestBodyJSONDetector,RequestBodyTextDetector,RequestHeadersDetector,RequestIsAuthenticatedDetector,RequestObjectDetector,RequestUserDetector,ResponseBodyJSONDetector,ResponseBodyTextDetector,ResponseDurationDetector,ResponseHeadersDetector,ResponseIsSuccessfulDetector,ResponseObjectDetector,ResponseStatusCodeDetector,ScanTypeDetector,SchemaNeedAuthenticationDetector,SchemaPathRefDetector,SchemaUrlDetector] The detectors to trigger the transform on the request or response. Detectors

ObjectMatcher

Property Type Default Description
name StringMatcher null Object scalar name to match
type ObjectTypeMatcher null Object scalar type to match
value StringMatcher null Object scalar value to match

ObjectMutate

Property Type Default Description
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

ObjectTypeMatcher

Property Type Default Description
in List[OBJECT_TYPE] null Object type is in the following list
is OBJECT_TYPE null Object type is exactly this type
is_not OBJECT_TYPE null Object type is any this type except this one

RESTSeeder

Property Type Default Description
body string null
headers Dict[string, string] null
method HTTP_METHOD null
params Dict[string, string] null
path string null
protocol* Const[rest] rest The REST seeder allows you to send a request that adapts to the host of your current scan.You can still use a raw HTTP text format, but we'll automatically fill the host and scheme for you.This requests will be sent at the same time as the hotstart, the syntax is similar to it butyou can configure for which user the request must be sent.The main difference between this two features it that a seeded request is bound to a custom security check.If you disable a check, the seeded request will not be sent.### Exampleyamlseed: - protocol: rest path: /books/some-title method: GET headers: Content-Type: application/json body: '{"hello": "world"}' user: admin params: id: 1
user string null The user to use for the request. If not provided, the request is sent without authentication.

RegexReplace

Property Type Default Description
pattern* string The regex pattern to match.
replacement* string The replacement, use \1, \2, ... to refer capture groups.

RequestBodyJSONDetector

Property Type Default Description
if* Const[request.body.json] request.body.json Use this to select and compare the request body when detected as JSON, using jq-like syntax.### Exampleyamldetect: - if: request.body.json is: jq: '.role == admin'
in List[Union[Dict[string, object], List[object]]] null Condition is in this list of JSON
is Union[Dict[string, object], List[object]] null Condition is this exact JSON
is_not Union[Dict[string, object], List[object]] null Condition is not this exact JSON
jq string null JQ query to match and use as boolean

RequestBodyJSONMutator

Property Type Default Description
jq string null JQ query to apply to the JSON body. See stedolan.github.io
key* Const[request.body.json] request.body.json You can use this mutator to change the JSON body of the request before resending it.### Example```yamltransform: trigger: - if: request.body.json is: {"user": "admin"} mutate: - key: request.body.json jq: '.

RequestBodyTextDetector

Property Type Default Description
contains string null Contains this string
if* Const[request.body.text] request.body.text Use this to select and compare the request body as text, using string compare.### Exampleyamldetect: - if: request.body.text contains: 'password='
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

RequestBodyTextMutator

Property Type Default Description
key* Const[request.body.text] request.body.text You can use this mutator to change the body (as text) of the request before resending it.### Exampleyamltransform: trigger: - if: request.body.text contains: 'hello' mutate: - key: request.body.text values: - 'injection 1' - 'injection 2' - 'injection 3'
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

RequestHeadersDetector

Property Type Default Description
if* Const[request.headers] request.headers Use that to select and compare the request headers in a key value dictionary.### Exampleyamldetect: - if: request.headers key: is: 'X-OPERATION' value: is: 'PAY'
key StringMatcher null Key to match
value StringMatcher null Value to match

RequestHeadersMutator

Property Type Default Description
delete boolean null Delete the matched headers.
key* Const[request.headers] request.headers You can use this mutator to change the headers of the request before resending it.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: request.headers name: X-API-version value: 'APIV2'
name* string The header name to match, supports regex.
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

RequestIsAuthenticatedDetector

Property Type Default Description
if* Const[request.is_authenticated] request.is_authenticated Use this to select whether or not whether the request is authenticated.### Exampleyamldetect: - if: request.is_authenticated is: true
is boolean null Condition is true
is_not boolean null Condition is false

RequestObjectDetector

Property Type Default Description
if* Const[request.object] request.object Use this to select and compare the detected object scalars (including custom scalars) in the request, with their kind, name and value.### Exampleyamldetect: - if: request.object type: in: - email - phone - street_address
name StringMatcher null Object scalar name to match
type ObjectTypeMatcher null Object scalar type to match
value StringMatcher null Object scalar value to match

RequestObjectMutator

Property Type Default Description
key* Const[request.object] request.object The detected object scalars (including custom scalars) in the request, with their kind, name and value.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: request.object select: type: is: email name: is: 'admin_email' value: regex: .*@escape.tech mutate: regex_replace: pattern: (.*)@escape.tech replacement: \1@attacker.com
mutate* ObjectMutate
select* ObjectMatcher

RequestUserDetector

Property Type Default Description
contains string null Contains this string
if* Const[request.user] request.user Use this to string compare the configured user for the request.### Exampleyamldetect: - if: request.user is: unprivileged_user
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

RequestUserMutator

Property Type Default Description
drop_user boolean null Remove the user authentication from the request.
key* Const[request.user] request.user You can use this mutator to change the user of the request before resending it.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: request.user mutate: value: admin
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

ResponseBodyJSONDetector

Property Type Default Description
if* Const[response.body.json] response.body.json Use this to select and compare the response body when detected as JSON, using jq-like syntax.### Exampleyamldetect: - if: response.body.json is: jq: '.role == admin'
in List[Union[Dict[string, object], List[object]]] null Condition is in this list of JSON
is Union[Dict[string, object], List[object]] null Condition is this exact JSON
is_not Union[Dict[string, object], List[object]] null Condition is not this exact JSON
jq string null JQ query to match and use as boolean

ResponseBodyTextDetector

Property Type Default Description
contains string null Contains this string
if* Const[response.body.text] response.body.text Use this to select and compare the response body as text, using string compare.### Exampleyamldetect: - if: request.body.text is_not: 'unauthorized'
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

ResponseDurationDetector

Property Type Default Description
gt integer null Condition is greater than this integer
if* Const[response.duration_ms] response.duration_ms Use this to compare the duration of the request in milliseconds.### Exampleyamldetect: - if: response.duration_ms gt: 200
in List[integer] null Condition is in this list of integers (exact match)
is integer null Condition is this exact integer
is_not integer null Condition is not this exact integer
lt integer null Condition is less than this integer

ResponseHeadersDetector

Property Type Default Description
if* Const[response.headers] response.headers Use that to select and compare the response headers in a key value dictionary.### Exampleyamldetect: - if: response.headers key: is: 'X-RESULT' value: is: 'PAID'
key StringMatcher null Key to match
value StringMatcher null Value to match

ResponseIsSuccessfulDetector

Property Type Default Description
if* Const[helpers.response.is_successful] helpers.response.is_successful Use this to check whether the response is successful.### Exampleyamldetect: - if: helpers.response.is_successful is: true
is boolean null Condition is true
is_not boolean null Condition is false

ResponseObjectDetector

Property Type Default Description
if* Const[response.object] response.object Use this to select and compare the detected object scalars (including custom scalars) in the response, with their kind, name and value.### Exampleyamldetect: - if: response.object type: in: - email - phone - street_address
name StringMatcher null Object scalar name to match
type ObjectTypeMatcher null Object scalar type to match
value StringMatcher null Object scalar value to match

ResponseStatusCodeDetector

Property Type Default Description
gt integer null Condition is greater than this integer
if* Const[response.status_code] response.status_code Use this to compare the HTTP status code as an integer.### Exampleyamldetect: - if: response.status_code is: 200
in List[integer] null Condition is in this list of integers (exact match)
is integer null Condition is this exact integer
is_not integer null Condition is not this exact integer
lt integer null Condition is less than this integer

ScanTypeDetector

Property Type Default Description
if* Const[scan.type] scan.type Use this to select against the type of the scan.### Exampleyamldetect: - if: scan.type is: REST
in List[SCAN_TYPE] null The scan type is in this list
is SCAN_TYPE null The scan type is exactly this
is_not SCAN_TYPE null The scan type is not this type

SchemaNeedAuthenticationDetector

Property Type Default Description
if* Const[schema.need_authentication] schema.need_authentication Use this to select whether or not the schema requires authentication.### Exampleyamldetect: - if: schema.need_authentication is: false
is boolean null Condition is true
is_not boolean null Condition is false

SchemaPathRefDetector

Property Type Default Description
contains string null Contains this string
if* Const[schema.path_ref] schema.path_ref Use this to string compare the operation name in GraphQL or the path in REST.### Exampleyamldetect: - if: schema.path_ref contains: /admin/secrets
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

SchemaPathRefMutator

Property Type Default Description
key* Const[schema.path_ref] schema.path_ref You can use this mutator to change the operation name in GraphQL or the path in REST (keeping the domain) before resending it.### Exampleyamltransform: trigger: - if: schema.path_ref is: '/api/v1/tested/route' mutate: - key: schema.path_ref mutate: value: '/api/v2/tested/route'
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

SchemaUrlDetector

Property Type Default Description
contains string null Contains this string
if* Const[schema.url] schema.url Use this to string compare the URL of the request.### Example```yamldetect: - if: schema.url regex: .*(internal
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

SchemaUrlMutator

Property Type Default Description
key* Const[schema.url] schema.url You can use this mutator to change the URL of the request before resending it.### Exampleyamltransform: trigger: - if: schema.url is: '/api/v1/tested/route' mutate: - key: schema.url mutate: value: '/api/v2/'
regex_replace RegexReplace null Regex replace pattern.
value string null The value to set.
values List[string] null The values to set, generates multiple queries.

StringMatcher

Property Type Default Description
contains string null Contains this string
in List[string] null Condition is in this list (exact match)
is string null Condition is this exact string
is_not string null Condition is not this exact string
regex string null Condition is matched on this regex with fullmatch

Enums

CATEGORY

Value
ACCESS_CONTROL
CONFIGURATION
INFORMATION_DISCLOSURE
INJECTION
PROTOCOL
REQUEST_FORGERY
RESOURCE_LIMITATION
SCHEMA
CUSTOM

CRUD

Value
CREATE
READ
UPDATE
DELETE

HTTP_METHOD

Value
GET
POST
PUT
DELETE
HEAD
PATCH
OPTIONS
TRACE
CONNECT

OBJECT_TYPE

Value
See Data Types Reference

SCAN_TYPE

Value
GRAPHQL
REST

SEVERITY

Value
HIGH
MEDIUM
LOW
INFO