Nuclei Vulnerability Scanner Cheat Sheet

Overview

Nuclei is a fast, template-based vulnerability scanner developed by Project Discovery. It focuses on providing extensive configurability, massive extensibility, and ease of use. Nuclei uses YAML-based templates to define vulnerability detection logic, making it highly customizable and community-driven. The scanner is designed to have zero false positives by using templates that precisely define the detection methodology.

What sets Nuclei apart from other vulnerability scanners is its template ecosystem. The community-maintained nuclei-templates repository contains thousands of ready-to-use templates for detecting various security issues, from common vulnerabilities to complex security misconfigurations. This approach allows security professionals to share their detection methods and benefit from the collective knowledge of the security community.

Nuclei can scan various targets including web applications, APIs, networks, DNS, and more. Its modular architecture allows for easy extension to support new protocols and vulnerability types. The tool is widely used by security researchers, bug bounty hunters, and penetration testers to automate vulnerability detection across multiple targets efficiently.

Installation

Using Go

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Verify installation
nuclei -version

Using Docker

# Pull the latest Docker image
docker pull projectdiscovery/nuclei:latest

# Run Nuclei using Docker
docker run -it projectdiscovery/nuclei:latest -h

Using Homebrew (macOS)

# Install using Homebrew
brew install nuclei

# Verify installation
nuclei -version

Using PDTM (Project Discovery Tools Manager)

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install Nuclei using PDTM
pdtm -i nuclei

# Verify installation
nuclei -version

On Kali Linux

# Install using apt
sudo apt install nuclei

# Verify installation
nuclei -version

Basic Usage

Scanning a Single Target

# Scan a single URL
nuclei -u https://example.com

# Scan with increased verbosity
nuclei -u https://example.com -v

# Scan with debug information
nuclei -u https://example.com -debug

Scanning Multiple Targets

# Scan multiple URLs
nuclei -u https://example.com,https://test.com

# Scan from a list of URLs
nuclei -l urls.txt

# Scan from STDIN
cat urls.txt | nuclei

Template Selection

# Scan with specific template
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml

# Scan with multiple templates
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml

# Scan with template directory
nuclei -u https://example.com -t cves/

# Scan with tags
nuclei -u https://example.com -tags cve,oast

# Exclude templates by tags
nuclei -u https://example.com -exclude-tags dos,fuzz

Output Options

# Save results to a file
nuclei -u https://example.com -o results.txt

# Save results in JSON format
nuclei -u https://example.com -o results.json -j

# Save results in SARIF format
nuclei -u https://example.com -o results.sarif -sarif

# Save results in Markdown format
nuclei -u https://example.com -o results.md -markdown

Rate Limiting

# Limit requests per second
nuclei -u https://example.com -rate-limit 100

# Limit requests per minute
nuclei -u https://example.com -rate-limit-minute 300

# Bulk size for concurrent requests
nuclei -u https://example.com -bulk-size 25

# Concurrency for template execution
nuclei -u https://example.com -c 50

Advanced Usage

Severity Filtering

# Scan only for critical severity issues
nuclei -u https://example.com -severity critical

# Scan for high and critical severity issues
nuclei -u https://example.com -severity high,critical

# Exclude low severity issues
nuclei -u https://example.com -exclude-severity low,info

Automatic Template Updates

# Update templates to the latest version
nuclei -update-templates

# Update to a specific templates directory
nuclei -update-directory /path/to/templates

# Update templates and exit
nuclei -update-templates -ut

Proxy and Network Options

# Use a proxy for HTTP requests
nuclei -u https://example.com -proxy http://127.0.0.1:8080

# Use SOCKS5 proxy
nuclei -u https://example.com -proxy socks5://127.0.0.1:1080

# Follow redirects
nuclei -u https://example.com -follow-redirects

# Follow host redirects
nuclei -u https://example.com -follow-host-redirects

Authentication

# Basic authentication
nuclei -u https://example.com -auth-type basic -auth-user username -auth-pass password

# Bearer token authentication
nuclei -u https://example.com -H "Authorization: Bearer YOUR_TOKEN"

# Cookie-based authentication
nuclei -u https://example.com -H "Cookie: session=123456"

Interactsh Integration

# Enable Interactsh for OOB testing
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com

# Disable Interactsh
nuclei -u https://example.com -no-interactsh

# Set Interactsh polling and timeout
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30

Workflow Execution

# Execute a workflow
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml

# Execute multiple workflows
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml

Headless Browser Support

# Enable headless browser support
nuclei -u https://example.com -headless

# Set browser path
nuclei -u https://example.com -headless -browser-path /path/to/chrome

# Set page timeout
nuclei -u https://example.com -headless -page-timeout 20

Template Management

Template Structure

Nuclei templates are YAML files with the following basic structure:

id: template-id
info:
  name: Template Name
  author: Author Name
  severity: info|low|medium|high|critical
  description: Template description
  tags: tag1,tag2

requests:
  - method: GET
    path:
      - "{{BaseURL}}/path"
    matchers:
      - type: word
        words:
          - "sensitive data"

Creating Custom Templates

# Create a basic template structure
cat > custom-template.yaml << EOF
id: custom-template
info:
  name: Custom Template
  author: Your Name
  severity: medium
  description: Detects a custom vulnerability
  tags: custom

requests:
  - method: GET
    path:
      - "{{BaseURL}}/admin"
    matchers:
      - type: word
        words:
          - "Admin Panel"
EOF

# Test the custom template
nuclei -u https://example.com -t custom-template.yaml

Template Validation

# Validate a template
nuclei -validate -t custom-template.yaml

# Validate all templates in a directory
nuclei -validate -t templates/

Template Listing

# List all available templates
nuclei -tl

# List templates by tags
nuclei -tl -tags cve,2021

# List templates by severity
nuclei -tl -severity critical

Integration with Other Tools

Pipeline with httpx

# Discover subdomains and scan them
subfinder -d example.com | httpx | nuclei -t cves/

# Scan specific ports
naabu -host example.com -top-ports 100 -silent | httpx -silent | nuclei -t cves/

Integration with Notify

# Send results to Slack
nuclei -u https://example.com -o results.txt | notify -provider slack

# Send critical findings to Discord
nuclei -u https://example.com -severity critical -json | notify -provider discord

Integration with GitHub Actions

# Example GitHub Action workflow
name: Nuclei Scan

on:
  schedule:
    - cron: '0 0 * * *'  # Run daily at midnight

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://example.com
          templates: cves/
          output: nuclei-results.txt

Best Practices

Performance Optimization

# Use fast templates for initial scanning
nuclei -u https://example.com -tags tech

# Exclude time-consuming templates
nuclei -u https://example.com -exclude-templates ssl,fuzzing

# Optimize concurrency based on target
nuclei -u https://example.com -c 50 -bulk-size 20

# Use rate limiting to avoid overwhelming the target
nuclei -u https://example.com -rate-limit 100

Targeted Scanning

# Scan for specific vulnerability types
nuclei -u https://example.com -tags wordpress,plugin

# Scan for recent CVEs
nuclei -u https://example.com -tags cve,2023

# Scan based on technology detection
httpx -u https://example.com -tech-detect | nuclei -t technologies/

Reducing Noise

# Exclude common false positives
nuclei -u https://example.com -exclude-templates false-positives/

# Focus on high-impact issues
nuclei -u https://example.com -severity high,critical

# Filter out noisy templates
nuclei -u https://example.com -exclude-tags fuzz,dos

Regular Updates

# Update templates regularly
nuclei -update-templates

# Update Nuclei to the latest version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Troubleshooting

Common Issues

1. Template Errors

   # Check template syntax
   nuclei -validate -t custom-template.yaml
   
   # Debug template execution
   nuclei -u https://example.com -t custom-template.yaml -debug

2. Rate Limiting by Target

   # Reduce request rate
   nuclei -u https://example.com -rate-limit 10
   
   # Add random delays
   nuclei -u https://example.com -rate-limit 10 -random-delay 5

3. Memory Issues

   # Limit template concurrency
   nuclei -u https://example.com -c 10
   
   # Limit bulk size
   nuclei -u https://example.com -bulk-size 10

4. Network Issues

   # Increase timeout
   nuclei -u https://example.com -timeout 10
   
   # Increase retries
   nuclei -u https://example.com -retries 3

Debugging

# Enable debug mode
nuclei -u https://example.com -debug

# Show verbose output
nuclei -u https://example.com -v

# Show request and response details
nuclei -u https://example.com -debug -show-request -show-response

# Store HTTP requests and responses
nuclei -u https://example.com -store-resp

Configuration

Configuration File

Nuclei uses a configuration file located at $HOME/.config/nuclei/config.yaml. You can customize various settings in this file:

# Example configuration file
concurrency: 25
rate-limit: 150
bulk-size: 20
templates-directory: /path/to/templates
output: /path/to/output.txt
json: true
severity:
  - critical
  - high
  - medium
exclude-severity:
  - info
  - low

Environment Variables

# Set Nuclei configuration via environment variables
export NUCLEI_CONCURRENCY=25
export NUCLEI_RATE_LIMIT=150
export NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates
export NUCLEI_OUTPUT=/path/to/output.txt
export NUCLEI_JSON=true

Reference

Command Line Options

Flag	Description
-u, -target	Target URL to scan
-l, -list	Path to file containing list of URLs to scan
-t, -templates	Templates to use for scanning
-tags	Tags to include templates by
-exclude-tags	Tags to exclude templates by
-o, -output	File to write output to
-j, -json	Write output in JSON format
-c, -concurrency	Number of concurrent requests
-rate-limit	Maximum number of requests per second
-timeout	Timeout in seconds for HTTP requests
-v, -verbose	Show verbose output
-debug	Show debug information
-update-templates	Update templates to latest version
-severity	Filter templates by severity
-exclude-severity	Exclude templates by severity
-interactsh-server	Interactsh server URL for OOB testing
-no-interactsh	Disable Interactsh for OOB testing
-follow-redirects	Follow HTTP redirects
-follow-host-redirects	Follow redirects on the same host
-max-redirects	Maximum number of redirects to follow
-headless	Enable headless browser support
-proxy	HTTP/SOCKS5 proxy to use
-H, -header	Custom header to add to all requests
-validate	Validate templates
-tl	List available templates

Template Types

Type	Description
HTTP	Web-based vulnerabilities
DNS	DNS-based vulnerabilities
File	Local file analysis
Network	Network protocol vulnerabilities
Headless	Browser-based vulnerabilities
SSL	SSL/TLS vulnerabilities
Websocket	Websocket vulnerabilities
Whois	Whois data analysis
Javascript	JavaScript analysis
Workflow	Multi-step vulnerability chains

Matcher Types

Type	Description
word	Match based on response containing specific words
regex	Match based on regular expressions
binary	Match based on binary response
status	Match based on HTTP status code
size	Match based on response size
dsl	Match using DSL expressions
xpath	Match using XPath expressions
jsonpath	Match using JSONPath expressions
gval	Match using GVAL expressions
kval	Match using key-value expressions

Extractor Types

Type	Description
regex	Extract data using regular expressions
kval	Extract key-value pairs
xpath	Extract data using XPath expressions
jsonpath	Extract data using JSONPath expressions
dsl	Extract data using DSL expressions
gval	Extract data using GVAL expressions

Resources

• Official Documentation
• GitHub Repository
• Nuclei Templates Repository
• Project Discovery Discord
• Nuclei Template Creation Guide

---

This cheat sheet provides a comprehensive reference for using Nuclei, from basic scanning to advanced template creation and integration with other tools. For the most up-to-date information, always refer to the official documentation.