Merge pull request #64 from dwisiswant0/docs/nuclei/add-skipping-secret-file-spec

olearycrew · web-flow · commit 1a7397ae9d23 · 2024-08-16T12:51:41.000-04:00
docs(nuclei): add skipping secret file spec
diff --git a/tools/nuclei/authenticated-scans.mdx b/tools/nuclei/authenticated-scans.mdx
@@ -63,6 +63,29 @@ Since authentication can be done in multiple ways, for example, using 3rd party
     - **Hashicorp Vault**
     - **AWS Secrets Manager**
 
+### Skipping Secret File
+
+<Note>This feature is available in Nuclei **v3.3.1**.</Note>
+
+If you provide a secret file to the Nuclei engine, it will automatically configure authentication or authorization for each request in the executed templates. In case you want to skip the secret configuration from the secret file and instead use hardcoded secrets or variables in specific templates, you can use the `skip-secret-file` _(bool)_ option. By setting this property to **true**, Nuclei will not apply the secrets to each request in that templates.
+
+**Example**
+
+```yaml
+variables:
+  username: foo
+  password: bar
+
+http:
+  - raw:
+      - |
+        GET /some-restricted-page HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Authorization: Basic {{base64(concat(username, ":", password))}}
+
+    skip-secret-file: true
+```
 
 ## Secret File Formats
 
@@ -273,7 +296,7 @@ info:
     WordPress Login template to use in workflows for authenticated wordpress testing.
   tags: wordpress,login
 
-requests:
+http:
   - raw:
       - |
         POST /wp-login.php HTTP/1.1
