How to write complex processing logic using YAML, such as implementing specific logic?

[Aliuyanfeng]

I want to implement a complex vulnerability verification using nuclei, and this does not limit itself to the use of external scripts.

[adilburaksen]

Nuclei has a few built-in mechanisms for complex logic without external scripts:

1. flow — JavaScript-based execution control
Controls which requests run and in what order, with full JS logic between them:

flow: |
  let r1 = http(1);
  if (r1) {
    http(2);
  }

2. Internal extractors — pass data between requests

extractors:
  - type: regex
    name: csrf_token
    internal: true
    regex:
      - 'name="_token" value="([^"]+)"'

Then reference with {{csrf_token}} in the next request body/header.

3. javascript protocol — full processing logic
For truly complex verification (custom crypto, multi-step chains, conditional parsing):

javascript:
  - code: |
      let resp = template['response'];
      let parsed = JSON.parse(resp);
      return parsed.role === 'admin' && parsed.id > 0;
    matchers:
      - type: dsl
        dsl:
          - response == true

4. DSL helper functions in matchers
Nuclei's DSL has 100+ helpers: regex(), contains(), md5(), base64_decode(), to_number(), compare_versions(), etc. Combine them with condition: and for multi-condition matching.

5. req-condition: true for correlating across multiple requests:

req-condition: true
matchers:
  - type: dsl
    dsl:
      - 'admin' in body_1
      - status_code_2 == 200
    condition: and

For most complex scenarios, flow + internal extractors handles it. The javascript protocol is the escape hatch for anything beyond that.