Seeders¶
Seeders inject fresh starting points into the scan. They run before detection. The two surfaces use different seeders because they speak to the target differently.
API seeders¶
Available shapes for seed: entries on type: API rules:
Curl Seeder¶
protocol: curl
Inject a request specified as a curl command. Useful when you already have a working curl one-liner from browser DevTools (Network tab → Right-click → Copy as cURL) or Postman, and you want to drop it in as-is.
seed:
- protocol: curl
user: admin
curl: >
curl -X POST 'https://example.com/api/users'
-H 'Content-Type: application/json'
-d '{"name": "tester"}'
For long-lived rules prefer the rest seeder (clearer diff, auto-filled host).
Properties¶
user: The user to use for the request. If not provided, the request is sent without authentication.curl: The curl command to use for the request.
REST Seeder¶
protocol: rest
Inject a REST request at scan start. Host and scheme are automatically filled from the scan target so you only specify the path, method, and any headers / body / query parameters.
seed:
- protocol: rest
path: /api/users
method: GET
user: admin
headers:
Content-Type: application/json
body: '{"name": "tester"}'
params:
limit: '100'
In context — Spring Boot actuator probing:
Spring Boot actuator /env endpoint exposed¶
Probe the Spring Boot actuator /env and /beans endpoints (with and without the /actuator prefix) and alert if the body leaks JAVA_HOME — proof the actuator is reachable.
Spring Boot's actuator exposes deep introspection endpoints (/env, /beans, /heapdump, /configprops, /mappings) that in default 1.x configurations were public. They leak environment variables, database connection strings, JWT secrets, S3 credentials, anything passed via -D flags or env vars.
The rule probes the four most common path layouts and asserts a successful response containing JAVA_HOME, which is virtually certain to be present in /env output.
Sourced from the in-tree springboot_actuator_env simplecheck.
When to use: Any backend potentially using Spring Boot. False-positive rate is very low because the JAVA_HOME marker rarely appears in legitimate API responses.
OWASP: API8:2023 Security Misconfiguration · CWE: CWE-200
Severity rationale: HIGH — actuator output usually contains credentials, signing keys, and infrastructure URLs that lead to direct compromise.
Features used: seed, detect, helpers.response.is_successful, response.body.text contains
rule:
id: example-api-spring-boot-actuator-env
type: API
alert:
name: Spring Boot actuator /env exposed
context: |
A request to the Spring Boot actuator `/env` endpoint returned
a successful response containing `JAVA_HOME`, indicating the
actuator is publicly reachable and leaking environment data.
severity: HIGH
category: INFORMATION_DISCLOSURE
seed:
- protocol: rest
method: GET
path: /actuator/env
headers: {}
- protocol: rest
method: GET
path: /actuator/beans
headers: {}
- protocol: rest
method: GET
path: /env
headers: {}
- protocol: rest
method: GET
path: /beans
headers: {}
detect:
- if: helpers.response.is_successful
is: true
- if: response.body.text
contains: JAVA_HOME
References:
- https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/
- https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html
- https://cwe.mitre.org/data/definitions/200.html
In context — exposed SQL dump probing with Range header:
Exposed SQL dumps reachable over HTTP¶
Probe a curated list of common SQL dump filenames at the root of the target and alert if the server returns the file with a SQL DDL/DML signature in the body.
Backups left in the web root are one of the highest-impact and cheapest-to-find exposures in API testing. This rule probes a curated list of common backup filenames (backup.sql, dump.sql, db.sql, mysqldump.sql, ...) using a Range: bytes=0-3000 header so the download stays small even if the file is multi-gigabyte. Extend the seed: list with additional paths to suit your target.
Detection requires both a 200/206 status and a body containing typical SQL DDL/DML keywords (DROP TABLE, CREATE TABLE, INSERT INTO, LOCK TABLE). The status code and body regex are AND-combined so a generic 200 page with no SQL content does not fire.
Sourced from the in-tree exposed_sql_dumps simplecheck — promoted here as a canonical example of the seed-+-detect pattern.
When to use: Run against every public host. Especially useful immediately after deployments, when build artifacts are sometimes left in /public by accident.
OWASP: A05:2021 Security Misconfiguration · CWE: CWE-540
Severity rationale: HIGH — exposed dumps regularly contain credentials, password hashes, and full PII.
Features used: seed, detect, rest seeder with custom Range header, response.body.text regex, response.status_code in
rule:
id: example-api-exposed-sql-dumps
type: API
alert:
name: Exposed SQL dump
context: |
A request to a common SQL dump filename returned a 200/206 with
DDL/DML keywords in the body, indicating a database backup
reachable over HTTP.
severity: HIGH
category: INFORMATION_DISCLOSURE
seed:
- protocol: rest
method: GET
path: /backup.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /database.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /dump.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /db.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /mysqldump.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /db_backup.sql
headers:
Range: bytes=0-3000
- protocol: rest
method: GET
path: /wp-content/uploads/dump.sql
headers:
Range: bytes=0-3000
detect:
- if: response.body.text
regex: .*((DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO).*
- if: response.status_code
in:
- 200
- 206
References:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://cwe.mitre.org/data/definitions/540.html
Properties¶
user: The user to use for the request. If not provided, the request is sent without authentication.path: The path to use for the request.method: The method to use for the request.headers: The headers to use for the request. The key is the header name and the value is the header value.body: The body to use for the request.params: parameters to use for the request. The key is the parameter name and the value is the parameter value.
RAW HTTP Seeder¶
protocol: http
Inject a request at scan start, formatted as a raw HTTP message with a @Host directive. Use when you need full control over the wire format, want to call a host outside the scan target, or need non-standard headers / methods.
seed:
- protocol: http
raw: |
@Host: https://example.com
GET /debug HTTP/1.1
Host: example.com
Content-Type: application/json
In context — environment isolation check that hits an internal-only host:
Environment isolation — production reaches internal host¶
Use the raw HTTP seeder to call an internal-only host (internal.example.com) and alert on a successful response — the production environment is not isolated from internal services.
Multi-environment platforms expect production runtime to be network-isolated from internal/back-office services. When a production-runtime container can resolve and reach internal.example.com, a single SSRF or admin-route mistake becomes a path into the internal network.
The seeder uses the raw HTTP seeder (with the @Host directive) so the request actually leaves the application's normal base_url and goes to the internal hostname.
When to use: Run from your production scanning posture, never from a developer laptop. Replace internal.example.com with the actual hostname you want to assert is unreachable.
OWASP: A05:2021 Security Misconfiguration · CWE: CWE-918
Severity rationale: HIGH when paired with any user-controlled URL fetch in the API; MEDIUM as a standalone configuration finding.
Features used: seed, detect, http raw seeder with @Host directive
rule:
id: example-api-environment-isolation-internal-host
type: API
alert:
name: Production environment can reach internal host
context: |
A request issued to `internal.example.com` from the production
scanner returned a successful response. The runtime
environment is not isolated from internal services.
severity: HIGH
category: REQUEST_FORGERY
seed:
- protocol: http
raw: |
@Host: https://internal.example.com
GET /api/health HTTP/1.1
Host: internal.example.com
detect:
- if: schema.url
contains: internal.example.com
- if: helpers.response.is_successful
is: true
References:
- https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
- https://cwe.mitre.org/data/definitions/918.html
For standard REST endpoints prefer the rest seeder (auto-fills host and scheme from the scan target).
Properties¶
user: The user to use for the request. If not provided, the request is sent without authentication.raw: The raw HTTP request in Nuclei format.
WebApp seeders¶
On type: WEBAPP rules, the seed: block is a list of browser actions executed by a real Playwright-controlled browser before detection runs.
The Action Seeder runs a sequence of browser actions at the start of the scan.
Actions execute against a real Playwright-driven browser before the detection phase. Use them to authenticate, navigate to a target page, fill forms, or solve TOTP / magic-link challenges that the application requires before the rule's detect block can apply.
Actions bound to a custom rule are executed only when that rule is enabled. Disable the rule and the seed sequence is skipped.
Authenticated session bootstrap via form¶
A seed-only template that performs a full email + password sign-in via the browser form. Subsequent rules can stack on top with their own detect and additional seed actions.
The recurring scaffolding for any authenticated WebApp rule is the same: navigate to the login page, fill the form, submit, take a screenshot for evidence. This rule documents the canonical shape so other rules can reuse the same seed: block as a starting point.
The detector here intentionally only checks that the page rendered "Sign out" — it is the cheapest signal that the session was established.
When to use: As a starting template when authoring a new authenticated WebApp rule. Copy the seed block, append your own seed actions and detector.
OWASP: N/A — building block, not a vulnerability rule · CWE: N/A
Severity rationale: INFO — this is a building block, not a vulnerability rule.
Features used: seed, browser actions (goto, fill, click, wait_text), page_text detector
rule:
id: example-webapp-seeder-auth-form
type: WEBAPP
alert:
name: Authenticated session bootstrap (template)
context: |
Template seeder demonstrating an email + password sign-in
via the browser form. Stack additional seed actions and a
real detector on top to author a complete rule.
severity: INFO
category: CUSTOM
seed:
- action: goto
url: https://example.com/login
- action: fill
locator: input[name="email"]
value: tester@example.com
- action: fill
locator: input[name="password"]
value: tester-password
- action: click
locator: button[type="submit"]
- action: wait_text
value: Sign out
timeout: 10
detect:
- if: page_text
contains: Sign out
References:
SSO bootstrap via emailed magic link¶
Navigate to the login page, request a magic link, follow the link from the test inbox, and assert the dashboard rendered.
Magic-link auth is increasingly common (Notion, Slack invites, most B2B tools). The custom-rule action set supports this natively via click_mail_magic_link, which polls the configured test inbox and follows the most recent magic link.
When to use: Apps using passwordless / magic-link sign-in. Pair with a dedicated test mailbox configured in your scan authentication settings.
OWASP: A07:2021 Identification and Authentication Failures · CWE: CWE-1390
Severity rationale: INFO — building block, not a vulnerability rule.
Features used: seed, browser actions (goto, fill, click, click_mail_magic_link, wait_text)
rule:
id: example-webapp-seeder-magic-link
type: WEBAPP
alert:
name: SSO magic-link bootstrap (template)
context: |
Template seeder demonstrating passwordless sign-in via an
emailed magic link.
severity: INFO
category: CUSTOM
seed:
- action: goto
url: https://example.com/login
- action: fill
locator: input[name="email"]
value: tester@example.com
- action: click
locator: button[type="submit"]
- action: click_mail_magic_link
email_address: tester.escape@scan.escape.tech
timeout: 60
- action: wait_text
value: Sign out
timeout: 10
detect:
- if: page_text
contains: Sign out
References:
Two-factor (TOTP) bootstrap during sign-in¶
Sign in with email + password, then complete the TOTP challenge using fill_totp against the configured authenticator secret.
Apps that gate sign-in behind TOTP multi-factor frequently break headless scans. The action set ships fill_totp (HOTP-secret based) and fill_mail_totp (mailbox-delivered code) so the seeder can complete the challenge without human intervention.
When to use: Apps with TOTP MFA enabled for the test account. Configure the HOTP secret in your scan authentication settings; the seeder will compute the current 6-digit code automatically.
OWASP: A07:2021 Identification and Authentication Failures · CWE: CWE-308
Severity rationale: INFO — building block, not a vulnerability rule.
Features used: seed, browser actions (goto, fill, click, fill_totp, wait_text)
rule:
id: example-webapp-seeder-totp
type: WEBAPP
alert:
name: TOTP MFA bootstrap (template)
context: |
Template seeder demonstrating sign-in through a TOTP MFA
challenge using the `fill_totp` action.
severity: INFO
category: CUSTOM
seed:
- action: goto
url: https://example.com/login
- action: fill
locator: input[name="email"]
value: tester@example.com
- action: fill
locator: input[name="password"]
value: tester-password
- action: click
locator: button[type="submit"]
- action: fill_totp
locator: input[name="otp"]
secret: JBSWY3DPEHPK3PXP
- action: click
locator: button[type="submit"]
- action: wait_text
value: Sign out
timeout: 10
detect:
- if: page_text
contains: Sign out
References: