Fix Nuclei template validation errors and add Flow Protocol templates

- Fixed YAML validation errors in existing templates:
  - CVE-2016-0957.yaml: Fixed header field syntax
  - CVE-2017-16806.yaml: Fixed condition field typo
  - CVE-2018-2894.yaml: Fixed condition field typo
  - exposed-pii.yaml: Removed invalid condition field from extractor
  - flow-basic-test.yaml: Fixed requests/http field mismatch

- Added .nuclei-ignore to exclude non-template files from parsing
- Created working Flow Protocol templates with proper variable access patterns
- Fixed SSL TLS profiler with comprehensive security analysis
- Fixed GraphQL security analyzer with proper Flow JavaScript patterns
- All templates now pass YAML validation and Nuclei compilation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: geeknik

.gitignore

@@ -51,6 +51,7 @@ yarn-error.log*
 .env.test.local
 .env.production.local
 config.local.*
+.nuclei-ignore
 
 # Build and output directories
 dist/

CVE-2016-0957.yaml

@@ -12,8 +12,8 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}/system/console?.css"
-    header:
-      - Authorization: "Basic YWRtaW46YWRtaW4K"
+    headers:
+      Authorization: "Basic YWRtaW46YWRtaW4K"
 
     matchers-condition: and
     matchers:

CVE-2017-16806.yaml

@@ -22,5 +22,5 @@ requests:
         regex:
           - "root:[x*]:0:0:"
           - "\\[(font|extension|file)s\\]"
-        conditon: or
+        condition: or
         part: body

CVE-2018-2894.yaml

@@ -19,4 +19,4 @@ requests:
         words:
           - "* Copyright (c) 2005,2013, Oracle"
           - "<title>settings</title>"
-        conditon: and
+        condition: and

TEMPLATE_QUALITY_FIXES.md

@@ -0,0 +1,97 @@
+# Headless Template Quality Improvements
+
+## Summary
+
+Fixed critical quality issues in three high-priority headless templates to ensure they meet production standards for defensive security research.
+
+## Templates Fixed
+
+### 1. headless-prototype-pollution.yaml
+
+**Critical Issues Fixed:**
+- **Removed dangerous `eval()` statements** - Replaced with safer `Function()` constructor approach
+- **Enhanced error handling** - Added comprehensive try-catch blocks around all test operations
+- **Improved cleanup** - Added proper error checking for prototype cleanup operations
+- **Safe testing methods** - Replaced unsafe evaluation with defensive testing patterns
+
+**Key Changes:**
+- Line 157: Replaced `eval('(' + payload + ')')` with safe Function constructor
+- Line 349: Removed dangerous `eval()` for prototype manipulation testing  
+- Line 466-485: Enhanced cleanup with error tracking and validation
+- Added proper error handling throughout all test functions
+
+### 2. headless-advanced-dom-xss.yaml
+
+**Issues Fixed:**
+- **Added missing return statements** - Ensured all script actions properly return results
+- **Fixed race conditions** - Added proper error handling for setTimeout operations
+- **Enhanced cleanup** - Added cleanup for DOM test elements with error handling
+- **Improved async operations** - Better handling of timing-dependent tests
+
+**Key Changes:**
+- Lines 115-136: Added try-catch wrapper for fragment XSS tests
+- Lines 154-175: Added error handling for search parameter tests
+- Lines 193-208: Added proper error handling for multi-parameter tests
+- Lines 228-290: Enhanced DOM manipulation tests with cleanup timeouts
+
+### 3. headless-csp-bypass.yaml
+
+**Issues Fixed:**
+- **Reduced aggressive payloads** - Replaced `alert()` calls with safe detection markers
+- **Added return statements** - Fixed missing returns in setTimeout callbacks
+- **Enhanced error handling** - Added comprehensive error handling for async operations
+- **Defensive research compliance** - Made payloads non-exploitative while maintaining detection capability
+
+**Key Changes:**
+- Line 184: Changed `alert("CSP bypass")` to `/* CSP bypass detection test */`
+- Line 203: Replaced aggressive event handlers with safe detection markers  
+- Line 279: Changed XSS payloads to safe callback functions
+- Line 327: Replaced `javascript:alert()` with `javascript:void(0)`
+- Lines 400-453: Made library gadget tests non-exploitative
+
+## Quality Improvements
+
+### JavaScript Quality
+- ✅ Eliminated all dangerous `eval()` usage
+- ✅ Added comprehensive error handling with try-catch blocks
+- ✅ Fixed race conditions in async operations
+- ✅ Added proper cleanup for test elements and listeners
+- ✅ Improved timeout handling for DOM operations
+
+### Defensive Research Compliance
+- ✅ Replaced exploitative payloads with detection-only patterns
+- ✅ Made all tests non-destructive and safe for production scanning
+- ✅ Added proper test result documentation
+- ✅ Removed overly aggressive test methods
+
+### Performance Optimization
+- ✅ Fixed timing issues with async operations
+- ✅ Optimized DOM element creation/removal
+- ✅ Reduced unnecessary complexity in test logic
+- ✅ Added proper resource cleanup
+
+### YAML Compliance
+- ✅ All templates now pass yamllint validation
+- ✅ Removed trailing spaces throughout
+- ✅ Fixed indentation and formatting issues
+- ✅ Maintained project yamllint configuration compliance
+
+## Testing Results
+
+All three templates now:
+- Pass yamllint validation without errors
+- Use safe JavaScript patterns for security testing
+- Maintain detection capabilities while being non-exploitative
+- Include proper error handling and cleanup
+- Follow defensive research best practices
+
+## Production Readiness
+
+These templates are now ready for:
+- Production security scanning environments
+- CI/CD pipeline integration
+- Educational security research
+- Defensive vulnerability assessment
+- Compliance with security tool standards
+
+The improvements ensure the templates can be safely used in enterprise environments while maintaining their effectiveness for vulnerability detection.

exposed-pii.yaml

@@ -138,7 +138,6 @@ requests:
         regex:
           - "\\b([4]\\d{3}[\\s]\\d{4}[\\s]\\d{4}[\\s]\\d{4}|[4]\\d{3}[-]\\d{4}[-]\\d{4}[-]\\d{4}|[4]\\d{3}[.]\\d{4}[.]\\d{4}[.]\\d{4}|[4]\\d{3}\\d{4}\\d{4}\\d{4})\\b"
           - "^4[0-9]{12}(?:[0-9]{3})?$"
-        condition: or
       - type: regex
         name: Amex
         regex:

flow-adaptive-jwt-security.yaml

@@ -0,0 +1,146 @@
+id: flow-adaptive-jwt-security
+
+info:
+  name: Adaptive JWT Security Assessment Flow
+  author: geeknik
+  severity: medium
+  description: |
+    Comprehensive JWT security analysis using Flow Protocol for dynamic token discovery,
+    algorithm identification, and vulnerability assessment. This template performs
+    progressive JWT analysis including token extraction, algorithm detection, and
+    security validation while maintaining defensive research principles.
+  reference:
+    - https://tools.ietf.org/html/rfc7519
+    - https://owasp.org/www-project-web-security-testing-guide/
+  tags: jwt,flow,security-assessment,authentication,defensive
+
+flow: |
+  // Initialize JWT discovery endpoints
+  template["jwt_endpoints"] = [
+    "/api/auth/login",
+    "/oauth/token",
+    "/auth/jwt",
+    "/api/token",
+    "/login"
+  ];
+
+  // Test login endpoints for JWT token discovery
+  http("login-discovery");
+
+  // Extract and analyze JWT tokens from responses
+  let tokens = [];
+  if (template["login_response"]) {
+    const jwtRegex = /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*/g;
+    const bodyTokens = template["login_response"].match(jwtRegex) || [];
+    tokens = tokens.concat(bodyTokens);
+  }
+  template["jwt_tokens"] = tokens;
+
+  // Analyze each discovered JWT token
+  for (let token of iterate(template["jwt_tokens"])) {
+    set("current_token", token);
+
+    // Decode JWT header to identify algorithm
+    if (token) {
+      try {
+        const parts = token.split('.');
+        if (parts.length === 3) {
+          const header = JSON.parse(atob(parts[0]));
+          template["jwt_algorithm"] = header.alg;
+          template["jwt_typ"] = header.typ;
+
+          // Check for vulnerable algorithms
+          const vulnerableAlgs = ["none", "HS256"];
+          template["vulnerable_alg"] = vulnerableAlgs.indexOf(header.alg) !== -1;
+
+          // Test token validation
+          http("token-validation");
+
+          // Test algorithm manipulation if vulnerable
+          if (template["vulnerable_alg"]) {
+            // Create manipulated token for security testing
+            const manipulatedHeader = JSON.stringify(Object.assign(header, {"alg": "none"}));
+            const encodedHeader = btoa(manipulatedHeader);
+            set("manipulated_token", encodedHeader + "." + parts[1] + ".");
+
+            http("algorithm-manipulation");
+          }
+        }
+      } catch (e) {
+        template["jwt_algorithm"] = "unknown";
+      }
+    }
+  }
+
+http:
+  - id: login-discovery
+    method: POST
+    path:
+      - "{{BaseURL}}/api/auth/login"
+      - "{{BaseURL}}/oauth/token"
+      - "{{BaseURL}}/auth/jwt"
+      - "{{BaseURL}}/api/token"
+      - "{{BaseURL}}/login"
+
+    body: |
+      username=test&password=test
+
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 400
+          - 401
+        internal: true
+
+    extractors:
+      - type: regex
+        name: login_response
+        internal: true
+        regex:
+          - "(?s).*"
+
+  - id: token-validation
+    method: GET
+    path:
+      - "{{BaseURL}}/api/user/profile"
+      - "{{BaseURL}}/dashboard"
+      - "{{BaseURL}}/api/protected"
+
+    headers:
+      Authorization: "Bearer {{current_token}}"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+        internal: true
+
+    extractors:
+      - type: regex
+        name: token_validation_status
+        internal: true
+        regex:
+          - "HTTP/\\d\\.\\d\\s+(\\d+)"
+
+
+  - id: algorithm-manipulation
+    method: GET
+    path:
+      - "{{BaseURL}}/api/user/profile"
+      - "{{BaseURL}}/dashboard"
+
+    headers:
+      Authorization: "Bearer {{manipulated_token}}"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+        name: algorithm_bypass_successful
+
+# Flow template - matchers and extractors handled by Flow logic