OFFSITE.DARK
← Tools
  • scanner
  • automation

Market

Nuclei

Overview

Nuclei is a template-based scanner from ProjectDiscovery. YAML templates define HTTP/DNS/TCP/network requests, matchers (status, regex, DSL), and extractors. Thousands of community templates cover CVEs, misconfigs, and technology fingerprinting.

Execution is fast and parallel (`-c` concurrency, `-rate-limit`). Templates tag by severity, author, and protocol. Workflows chain templates (e.g., detect tech → run targeted CVE checks).

Integrates with httpx, subfinder, naabu in PD recon pipelines—or use SIF as a single-binary alternative with nuclei compiled in. Custom templates suit internal apps with proprietary endpoints.

False positives happen when matchers are too loose; tune with `-tags`, `-severity`, and `-exclude-templates`. `-interactsh-url` enables OOB detection like Burp Collaborator.

Primary use cases

  • Mass external attack surface scanning after subdomain enum
  • CI/CD DAST gates with critical/high severity only
  • CVE regression checks after patch Tuesday
  • Detecting exposed admin panels, .git, backup files
  • Technology && config checks (S3 open buckets, default creds)

Key commands

Scan targets from file, critical/high only

nuclei -l urls.txt -severity critical,high -o findings.txt

Specific tags

nuclei -u https://target.example.com -tags cve,wordpress

Custom template

nuclei -u https://target.example.com -t ./custom/check-exposed-env.yaml

Notable modules / features

  • Protocols: HTTP, DNS, TCP, SSL, WHOIS, code, headless browser
  • DSL for complex matchers and dynamic payloads
  • Reporting: JSON, SARIF, Markdown
  • Nuclei Templates GitHub repo with versioned CVE checks

Detection / defense notes

  • High-volume scanning is noisy in WAF/CDN logs; rate-limit and scope
  • Patch and reduce exposed services; templates lag zero-days
  • Honeypot endpoints can trigger false positive cascades

Related tools

  • niktoWeb server scanner. Tests for outdated software, dangerous files, and misconfigs.
  • NmapNetwork mapper. SYN/UDP scanning, service detection, NSE scripts, and OS fingerprinting. The baseline recon tool.
  • Burp SuiteHTTP/S intercepting proxy. Repeater, Intruder, scanner, and extension API for web app testing.
  • SIFGo recon-to-exploit scanner in one static binary. Shared HTTP client, 25+ scan modules, nuclei compiled in. Pipelines from stdin.
→ official site