Listen to this Post

Introduction:
Nuclei is a powerful open-source vulnerability scanner that uses YAML-based templates to detect thousands of known security issues across web applications, networks, and APIs. However, relying solely on default template collections—as most bug bounty hunters do—means competing against countless others scanning the same attack surface. The post by Deepak Saini highlights a critical shift: smart hunters build custom template collections tailored to specific targets, uncovering edge-case vulnerabilities and zero-day vectors that default scans consistently miss.
Learning Objectives:
- Understand the inherent limitations of default Nuclei templates and why they fail to detect business-logic flaws and proprietary API vulnerabilities.
- Learn to design, write, and test custom Nuclei templates using YAML syntax, matchers, extractors, and protocol-specific workflows.
- Implement automated custom template pipelines for Linux and Windows environments to scale bug hunting and continuous security assessments.
You Should Know:
- Why Default Nuclei Templates Fail – And How to Identify Gaps
Default templates (from the `nuclei-templates` GitHub repo) cover known CVEs, misconfigurations, and common weak patterns. However, they cannot detect:
– Custom authentication bypass logic unique to a target.
– Internal API endpoints leaked in frontend JavaScript.
– Business logic flaws requiring multi-step interactions.
Step-by-step gap analysis:
- Run a default scan against a test target (e.g., your own staging app) and save results:
nuclei -u https://testlab.com -t ~/nuclei-templates/ -json -o default_scan.json
- Manually review the application for vulnerabilities you suspect exist but were not found.
- Use `jq` to extract template IDs that matched:
cat default_scan.json | jq '.["template-id"]' | sort | uniq -c | sort -nr
- Compare against the list of active endpoints (from a `gospider` or `ffuf` crawl). Endpoints not covered become candidates for custom templates.
- Windows alternative: Use PowerShell and `Select-String` to parse JSON logs, or run the same tools via WSL2.
-
Building Your First Custom Nuclei Template – YAML Anatomy
A custom template defines requests, matchers (to detect vulnerabilities), and extractors (to capture data like tokens or version strings).
Step-by-step guide to creating a template for a custom GraphQL introspection endpoint leak:
1. Create a file `graphql-introspection.yaml`:
id: custom-graphql-introspection
info:
name: Exposed GraphQL Introspection Endpoint
author: yourhandle
severity: medium
description: Detects publicly accessible GraphQL introspection queries.
requests:
- method: POST
path:
- "{{BaseURL}}/graphql"
headers:
Content-Type: application/json
body: |
{"query":"query { __schema { types { name } } }"}
matchers:
- type: word
words:
- "__schema"
- "types"
condition: and
- type: status
status:
- 200
2. Validate the template syntax:
nuclei -validate -t graphql-introspection.yaml
3. Run it against a target:
nuclei -u https://target.com -t graphql-introspection.yaml -verbose
4. For Windows, use the same commands inside PowerShell if `nuclei.exe` is installed, or via WSL.
- Extracting Custom Endpoints from JavaScript and Source Code
Modern SPAs and React apps leak hidden API routes in source maps and bundled JavaScript. Convert these findings directly into Nuclei templates.
Linux command pipeline to discover and template endpoints:
1. Download all JavaScript files from a target:
gau --subs target.com | grep ".js$" | xargs curl -s > all_js.txt
2. Extract potential API endpoints using `grep` and regex:
grep -oP '(https?://[^"''\s]+/api/[^"''\s]+)' all_js.txt | sort -u > endpoints.txt
3. For each endpoint, generate a custom template to test for common flaws (e.g., IDOR). A one-liner wrapper:
while read url; do
echo "id: custom-${url//[:\/]/_}
info:
name: IDOR test on $url
requests:
- method: GET
path:
- \"$url?user_id=1\"
matchers:
- type: word
words:
- \"admin\"
- \"email\"" > template.yaml
nuclei -t template.yaml -u https://target.com
done < endpoints.txt
4. Windows PowerShell method: Use `Invoke-WebRequest` and regex with `Select-String` to extract endpoints, then output YAML via Out-File.
4. Automating Custom Template Execution with Parallel Scanning
To scale bug hunting, execute multiple custom templates concurrently, log results, and trigger alerts.
Step-by-step automation script (Linux):
!/bin/bash
custom_scan.sh
TARGET=$1
CUSTOM_TEMPLATES_DIR="./custom_templates/"
OUTPUT_DIR="./nuclei_output/"
mkdir -p $OUTPUT_DIR
Run nuclei with custom templates only, 100 concurrent threads
nuclei -u $TARGET -t $CUSTOM_TEMPLATES_DIR -c 100 -json -o $OUTPUT_DIR/scan_$(date +%Y%m%d_%H%M%S).json
Send high-severity findings to Slack webhook (example)
jq 'select(.info.severity == "critical" or .info.severity == "high")' $OUTPUT_DIR/.json | \
curl -X POST -H 'Content-type: application/json' --data '{"text": "Critical finding on '$TARGET'"}' YOUR_SLACK_WEBHOOK
For Windows (PowerShell + WSL or native):
- Use WSL to run the bash script directly.
- Or install `nuclei.exe` and use `Get-Date` for timestamped folders, then invoke `curl.exe` for notifications.
5. API Security Hardening Using Custom Nuclei Checks
Beyond default API templates, custom checks can identify misconfigurations in JWT, rate limits, and mass assignment vulnerabilities.
Custom template for JWT `none` algorithm bypass:
id: jwt-none-algorithm-bypass
info:
name: JWT alg:none Acceptance
severity: critical
requests:
- method: GET
path:
- "{{BaseURL}}/api/user/profile"
headers:
Authorization: "Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ."
matchers:
- type: status
status:
- 200
- type: word
words:
- "admin"
- "profile"
part: body
Step-by-step mitigation testing:
- Capture a legitimate JWT from the target API.
- Decode it and change the `alg` header to `none` using a JWT debugger (e.g., `jwt_tool` Python script).
- Send the modified token with the custom Nuclei template.
- If the API accepts it, the vulnerability exists – write a report with proof-of-concept and propose enforcing signature validation.
6. Cloud Hardening: Custom Templates for AWS/Azure Misconfigurations
Public cloud assets often expose storage containers, metadata endpoints, or misconfigured IAM roles. Build custom Nuclei templates to detect these.
Custom S3 bucket permission template:
id: custom-s3-bucket-listable
info:
name: Publicly Listable S3 Bucket
severity: medium
requests:
- method: GET
path:
- "{{BaseURL}}?prefix="
matchers:
- type: word
words:
- "<ListBucketResult"
- "<Key>"
condition: and
part: body
extractors:
- type: regex
regex:
- "<Key>(.?)</Key>"
part: body
How to use for cloud hardening:
- Enumerate subdomains and find s3.amazonaws.com endpoints (e.g.,
s3.amazonaws.com/bucket-name). - Run the custom template against `https://bucket-name.s3.amazonaws.com/`.
- If the bucket lists objects, change permissions to private using AWS CLI:
aws s3api put-bucket-acl --bucket bucket-name --acl private
- For Azure Blob, modify the template path to `https://account.blob.core.windows.net/container?restype=container&comp=list`.
-
Mitigation and Reporting: Validate and Remediate Before Disclosing
False positives are common. Every custom template finding must be manually verified.
Step-by-step validation process:
- Run the custom template with `-debug` flag to see raw requests and responses:
nuclei -t custom-finding.yaml -u https://target.com -debug > debug_output.txt
- Replay the exact request using `curl` (Linux) or `Invoke-RestMethod` (Windows):
curl -X GET "https://target.com/vulnerable-endpoint?param=test" -H "X-Custom: value"
3. If confirmed, prepare a report including:
- Nuclei template YAML used.
- Screenshot of vulnerable response.
- Remediation suggestion (e.g., input sanitization, access control, etc.).
- Write a bash script to automatically retest after fixes (continuous monitoring):
while true; do nuclei -t custom-finding.yaml -u https://target.com -silent && echo "Still vulnerable!" sleep 3600 done
What Undercode Say:
- Key Takeaway 1: Default Nuclei templates create a crowded, low-value playing field. Custom templates tailored to a target’s unique attack surface are the only way to discover non-CVE vulnerabilities and business logic flaws.
- Key Takeaway 2: Automation is essential, but validation is paramount. A well-constructed custom template, combined with manual verification and cloud-specific hardening checks, transforms Nuclei from a noise generator into a precision bug-hunting weapon.
Analysis: The shift toward custom collections reflects a maturing bug bounty ecosystem. As automated scanners become ubiquitous, edge detection requires human-guided, target-specific logic. This post’s emphasis on custom templates aligns with the broader trend of AI-assisted YAML generation (e.g., using LLMs to write matchers from raw HTTP dumps). However, hunters must also master template syntax and HTTP internals to avoid false positives and ethical disclosure pitfalls. Undercode predicts that within 18 months, custom template creation will be a standard interview question for security engineer roles.
Prediction:
The next wave of Nuclei evolution will involve AI-driven template generation – where an LLM ingests a target’s OpenAPI spec, JavaScript bundles, and past vulnerability reports, then autonomously writes 50+ custom templates in seconds. This will widen the gap between organizations that invest in custom automation versus those relying on public templates. Simultaneously, defensive teams will adopt “anti-Nuclei” measures: detecting and blocking scanner-like request patterns, forcing hunters to use highly randomized, bespoke templates that mimic real user behavior. The arms race is inevitable; the winners will be those who start building custom collections today.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


