nuclei
Template-based vulnerability scanner. Fast, customizable, and community-driven. ProjectDiscovery.
Quickstart
nuclei -u https://target.com
nuclei -u https://target.com -t cves/
nuclei -l urls.txt
nuclei -ut
Core Concepts
| Concept |
Description |
| Templates |
YAML files defining vulnerability checks |
| Tags |
Categories like cve, rce, xss, sqli |
| Severity |
info, low, medium, high, critical |
| Workflows |
Chain multiple templates together |
Syntax
nuclei -u <url> [options]
nuclei -l <file> [options]
cat urls.txt | nuclei [options]
Options
| Option |
Description |
-u <url> |
Single target URL |
-l <file> |
List of URLs |
- |
Read from stdin |
-resume <file> |
Resume scan from file |
Templates
| Option |
Description |
-t <path> |
Template path/directory |
-tl |
List available templates |
-tags <tags> |
Filter by tags |
-etags <tags> |
Exclude tags |
-s <severity> |
Filter by severity |
-es <severity> |
Exclude severity |
-author <name> |
Filter by author |
-nt |
New templates only |
-ut |
Update templates |
Output
| Option |
Description |
-o <file> |
Output file |
-json |
JSON output |
-jsonl |
JSON lines output |
-silent |
Silent mode |
-nc |
No color |
-v |
Verbose |
-debug |
Debug mode |
| Option |
Description |
-c <n> |
Concurrent templates (default 25) |
-rl <n> |
Rate limit per second |
-bs <n> |
Bulk size (hosts per template) |
-timeout <sec> |
Timeout |
-retries <n> |
Retries |
Interactsh (OOB)
| Option |
Description |
-iserver <url> |
Interactsh server |
-itoken <token> |
Interactsh token |
-ni |
Disable interactsh |
Misc
| Option |
Description |
-H "Header: val" |
Custom header |
-proxy <url> |
HTTP proxy |
-fr |
Follow redirects |
-ss |
Screenshot on match |
Recipes
Basic Scanning
nuclei -u https://target.com
nuclei -l urls.txt
cat urls.txt | nuclei
nuclei -u https://target.com -silent
Template Selection
nuclei -u https://target.com -t cves/2023/CVE-2023-1234.yaml
nuclei -u https://target.com -t cves/
nuclei -u https://target.com -tags cve,rce
nuclei -u https://target.com -tags xss,sqli
nuclei -u https://target.com -s critical,high
nuclei -u https://target.com -s medium,low,info
nuclei -u https://target.com -etags dos,fuzz
nuclei -u https://target.com -es info
Common Scan Types
nuclei -l urls.txt -t cves/
nuclei -l urls.txt -t technologies/
nuclei -l urls.txt -t exposed-panels/
nuclei -l urls.txt -t misconfiguration/
nuclei -l urls.txt -t default-logins/
nuclei -l urls.txt -t takeovers/
nuclei -l urls.txt -t exposures/
Full Recon Scan
nuclei -l urls.txt -s high,critical -o critical_findings.txt
nuclei -l urls.txt -json -o results.json
nuclei -l urls.txt -etags dos,fuzz -es info -o findings.txt
Integration Pipeline
subfinder -d target.com -silent | httpx -silent | nuclei -t cves/
katana -u https://target.com -silent | nuclei -silent
subfinder -d target.com -silent | \
httpx -silent | \
nuclei -s high,critical -o vulns.txt
Custom Templates
nuclei -u https://target.com -t /path/to/custom.yaml
nuclei -t custom.yaml -validate
nuclei -u https://target.com -t custom.yaml -proxy http://127.0.0.1:8080
Rate Limiting & Stealth
nuclei -l urls.txt -rl 10 -c 5
nuclei -l urls.txt -rl 5 -c 2
nuclei -l urls.txt -proxy http://127.0.0.1:8080
Template Management
nuclei -ut
nuclei -tl
nuclei -tl -tags cve
nuclei -nt -tl
Output & Parsing
nuclei -l urls.txt -json -o results.json
cat results.json | jq -r 'select(.info.severity == "high") | .host'
nuclei -l urls.txt -jsonl -o results.jsonl
nuclei -l urls.txt -me report/
Custom Template Structure
id: custom-check
info:
name: Custom Vulnerability Check
author: yourname
severity: medium
tags: custom
requests:
- method: GET
path:
- "{{BaseURL}}/admin"
matchers:
- type: status
status:
- 200
- type: word
words:
- "admin panel"
Troubleshooting
| Issue |
Solution |
| No results |
Check templates exist, try -v |
| Too slow |
Reduce -c, check network |
| Rate limited |
Add -rl, reduce concurrency |
| OOB not working |
Check interactsh server, use -debug |
| Template errors |
Run with -validate |
References