Nuclei Vulnerability Scanner Cheat Sheet
Overview
Nuclei is a fast, template-based vulnerability scanner developed by Project Discovery. It focuses on providing extensive configurability, massive extensibility, and ease of use. Nuclei uses YAML-based templates to define vulnerability detection logic, making it highly customizable and community-driven. The scanner is designed to have zero false positives by using templates that precisely define the detection methodology.
What sets Nuclei apart from other vulnerability scanners is its template ecosystem. The community-maintained nuclei-templates repository contains thousands of ready-to-use templates for detecting various security issues, from common vulnerabilities to complex security misconfigurations. This approach allows security professionals to share their detection methods and benefit from the collective knowledge of the security community.
Nuclei can scan various targets including web applications, APIs, networks, DNS, and more. Its modular architecture allows for easy extension to support new protocols and vulnerability types. The tool is widely used by security researchers, bug bounty hunters, and penetration testers to automate vulnerability detection across multiple targets efficiently.
Installation
Using Go
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Verify installation
nuclei -version
Using Docker
# Pull the latest Docker image
docker pull projectdiscovery/nuclei:latest
# Run Nuclei using Docker
docker run -it projectdiscovery/nuclei:latest -h
Using Homebrew (macOS)
# Install using Homebrew
brew install nuclei
# Verify installation
nuclei -version
Using PDTM (Project Discovery Tools Manager)
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install Nuclei using PDTM
pdtm -i nuclei
# Verify installation
nuclei -version
On Kali Linux
# Install using apt
sudo apt install nuclei
# Verify installation
nuclei -version
Basic Usage
Scanning a Single Target
# Scan a single URL
nuclei -u https://example.com
# Scan with increased verbosity
nuclei -u https://example.com -v
# Scan with debug information
nuclei -u https://example.com -debug
Scanning Multiple Targets
# Scan multiple URLs
nuclei -u https://example.com,https://test.com
# Scan from a list of URLs
nuclei -l urls.txt
# Scan from STDIN
cat urls.txt|nuclei
Template Selection
# Scan with specific template
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml
# Scan with multiple templates
nuclei -u https://example.com -t cves/2021/CVE-2021-44228.yaml,cves/2021/CVE-2021-40438.yaml
# Scan with template directory
nuclei -u https://example.com -t cves/
# Scan with tags
nuclei -u https://example.com -tags cve,oast
# Exclude templates by tags
nuclei -u https://example.com -exclude-tags dos,fuzz
Output Options
# Save results to a file
nuclei -u https://example.com -o results.txt
# Save results in JSON format
nuclei -u https://example.com -o results.json -j
# Save results in SARIF format
nuclei -u https://example.com -o results.sarif -sarif
# Save results in Markdown format
nuclei -u https://example.com -o results.md -markdown
Rate Limiting
# Limit requests per second
nuclei -u https://example.com -rate-limit 100
# Limit requests per minute
nuclei -u https://example.com -rate-limit-minute 300
# Bulk size for concurrent requests
nuclei -u https://example.com -bulk-size 25
# Concurrency for template execution
nuclei -u https://example.com -c 50
Advanced Usage
Severity Filtering
# Scan only for critical severity issues
nuclei -u https://example.com -severity critical
# Scan for high and critical severity issues
nuclei -u https://example.com -severity high,critical
# Exclude low severity issues
nuclei -u https://example.com -exclude-severity low,info
Automatic Template Updates
# Update templates to the latest version
nuclei -update-templates
# Update to a specific templates directory
nuclei -update-directory /path/to/templates
# Update templates and exit
nuclei -update-templates -ut
Proxy and Network Options
# Use a proxy for HTTP requests
nuclei -u https://example.com -proxy http://127.0.0.1:8080
# Use SOCKS5 proxy
nuclei -u https://example.com -proxy socks5://127.0.0.1:1080
# Follow redirects
nuclei -u https://example.com -follow-redirects
# Follow host redirects
nuclei -u https://example.com -follow-host-redirects
Authentication
# Basic authentication
nuclei -u https://example.com -auth-type basic -auth-user username -auth-pass password
# Bearer token authentication
nuclei -u https://example.com -H "Authorization: Bearer YOUR_TOKEN"
# Cookie-based authentication
nuclei -u https://example.com -H "Cookie: session=123456"
Interactsh Integration
# Enable Interactsh for OOB testing
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com
# Disable Interactsh
nuclei -u https://example.com -no-interactsh
# Set Interactsh polling and timeout
nuclei -u https://example.com -interactsh-server https://your-interactsh-server.com -interactions-poll-duration 60 -interactions-cooldown-period 30
Workflow Execution
# Execute a workflow
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml
# Execute multiple workflows
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml,workflows/jira-workflow.yaml
Headless Browser Support
# Enable headless browser support
nuclei -u https://example.com -headless
# Set browser path
nuclei -u https://example.com -headless -browser-path /path/to/chrome
# Set page timeout
nuclei -u https://example.com -headless -page-timeout 20
Template Management
Template Structure
Nuclei templates are YAML files with the following basic structure:
id: template-id
info:
name: Template Name
author: Author Name
severity: info|low|medium|high|critical
description: Template description
tags: tag1,tag2
requests:
- method: GET
path:
- "\\\\{\\\\{BaseURL\\\\}\\\\}/path"
matchers:
- type: word
words:
- "sensitive data"
Creating Custom Templates
# Create a basic template structure
cat > custom-template.yaml << EOF
id: custom-template
info:
name: Custom Template
author: Your Name
severity: medium
description: Detects a custom vulnerability
tags: custom
requests:
- method: GET
path:
- "\\\\{\\\\{BaseURL\\\\}\\\\}/admin"
matchers:
- type: word
words:
- "Admin Panel"
EOF
# Test the custom template
nuclei -u https://example.com -t custom-template.yaml
Template Validation
# Validate a template
nuclei -validate -t custom-template.yaml
# Validate all templates in a directory
nuclei -validate -t templates/
Template Listing
# List all available templates
nuclei -tl
# List templates by tags
nuclei -tl -tags cve,2021
# List templates by severity
nuclei -tl -severity critical
Integration with Other Tools
Pipeline with httpx
# Discover subdomains and scan them
subfinder -d example.com|httpx|nuclei -t cves/
# Scan specific ports
naabu -host example.com -top-ports 100 -silent|httpx -silent|nuclei -t cves/
Integration with Notify
# Send results to Slack
nuclei -u https://example.com -o results.txt|notify -provider slack
# Send critical findings to Discord
nuclei -u https://example.com -severity critical -json|notify -provider discord
Integration with GitHub Actions
# Example GitHub Action workflow
name: Nuclei Scan
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://example.com
templates: cves/
output: nuclei-results.txt
Best Practices
Performance Optimization
# Use fast templates for initial scanning
nuclei -u https://example.com -tags tech
# Exclude time-consuming templates
nuclei -u https://example.com -exclude-templates ssl,fuzzing
# Optimize concurrency based on target
nuclei -u https://example.com -c 50 -bulk-size 20
# Use rate limiting to avoid overwhelming the target
nuclei -u https://example.com -rate-limit 100
Targeted Scanning
# Scan for specific vulnerability types
nuclei -u https://example.com -tags wordpress,plugin
# Scan for recent CVEs
nuclei -u https://example.com -tags cve,2023
# Scan based on technology detection
httpx -u https://example.com -tech-detect|nuclei -t technologies/
Reducing Noise
# Exclude common false positives
nuclei -u https://example.com -exclude-templates false-positives/
# Focus on high-impact issues
nuclei -u https://example.com -severity high,critical
# Filter out noisy templates
nuclei -u https://example.com -exclude-tags fuzz,dos
Regular Updates
# Update templates regularly
nuclei -update-templates
# Update Nuclei to the latest version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Troubleshooting
Common Issues
- Template Errors ```bash # Check template syntax nuclei -validate -t custom-template.yaml
# Debug template execution nuclei -u https://example.com -t custom-template.yaml -debug ```
- Rate Limiting by Target ```bash # Reduce request rate nuclei -u https://example.com -rate-limit 10
# Add random delays nuclei -u https://example.com -rate-limit 10 -random-delay 5 ```
- Memory Issues ```bash # Limit template concurrency nuclei -u https://example.com -c 10
# Limit bulk size nuclei -u https://example.com -bulk-size 10 ```
- Network Issues ```bash # Increase timeout nuclei -u https://example.com -timeout 10
# Increase retries nuclei -u https://example.com -retries 3 ```
Debugging
# Enable debug mode
nuclei -u https://example.com -debug
# Show verbose output
nuclei -u https://example.com -v
# Show request and response details
nuclei -u https://example.com -debug -show-request -show-response
# Store HTTP requests and responses
nuclei -u https://example.com -store-resp
Configuration
Configuration File
Nuclei uses a configuration file located at $HOME/.config/nuclei/config.yaml. You can customize various settings in this file:
# Example configuration file
concurrency: 25
rate-limit: 150
bulk-size: 20
templates-directory: /path/to/templates
output: /path/to/output.txt
json: true
severity:
- critical
- high
- medium
exclude-severity:
- info
- low
Environment Variables
# Set Nuclei configuration via environment variables
export NUCLEI_CONCURRENCY=25
export NUCLEI_RATE_LIMIT=150
export NUCLEI_TEMPLATES_DIRECTORY=/path/to/templates
export NUCLEI_OUTPUT=/path/to/output.txt
export NUCLEI_JSON=true
Reference
Command Line Options
| Flag | Description |
|---|---|
-u, -target |
Target URL to scan |
-l, -list |
Path to file containing list of URLs to scan |
-t, -templates |
Templates to use for scanning |
-tags |
Tags to include templates by |
-exclude-tags |
Tags to exclude templates by |
-o, -output |
File to write output to |
-j, -json |
Write output in JSON format |
-c, -concurrency |
Number of concurrent requests |
-rate-limit |
Maximum number of requests per second |
-timeout |
Timeout in seconds for HTTP requests |
-v, -verbose |
Show verbose output |
-debug |
Show debug information |
-update-templates |
Update templates to latest version |
-severity |
Filter templates by severity |
-exclude-severity |
Exclude templates by severity |
-interactsh-server |
Interactsh server URL for OOB testing |
-no-interactsh |
Disable Interactsh for OOB testing |
-follow-redirects |
Follow HTTP redirects |
-follow-host-redirects |
Follow redirects on the same host |
-max-redirects |
Maximum number of redirects to follow |
-headless |
Enable headless browser support |
-proxy |
HTTP/SOCKS5 proxy to use |
-H, -header |
Custom header to add to all requests |
-validate |
Validate templates |
-tl |
List available templates |
Template Types
| Type | Description |
|---|---|
| HTTP | Web-based vulnerabilities |
| DNS | DNS-based vulnerabilities |
| File | Local file analysis |
| Network | Network protocol vulnerabilities |
| Headless | Browser-based vulnerabilities |
| SSL | SSL/TLS vulnerabilities |
| Websocket | Websocket vulnerabilities |
| Whois | Whois data analysis |
| Javascript | JavaScript analysis |
| Workflow | Multi-step vulnerability chains |
Matcher Types
| Type | Description |
|---|---|
word |
Match based on response containing specific words |
regex |
Match based on regular expressions |
binary |
Match based on binary response |
status |
Match based on HTTP status code |
size |
Match based on response size |
dsl |
Match using DSL expressions |
xpath |
Match using XPath expressions |
jsonpath |
Match using JSONPath expressions |
gval |
Match using GVAL expressions |
kval |
Match using key-value expressions |
Extractor Types
| Type | Description |
|---|---|
regex |
Extract data using regular expressions |
kval |
Extract key-value pairs |
xpath |
Extract data using XPath expressions |
jsonpath |
Extract data using JSONPath expressions |
dsl |
Extract data using DSL expressions |
gval |
Extract data using GVAL expressions |
Resources
- Official Documentation
- GitHub Repository
- Nuclei Templates Repository
- Project Discovery Discord
- Nuclei Template Creation Guide
This cheat sheet provides a comprehensive reference for using Nuclei, from basic scanning to advanced template creation and integration with other tools. For the most up-to-date information, always refer to the official documentation.