top of page
Writer's pictureotw

Vulnerability Scanning with Nuclei: The High-Speed, Customizable Solution for Advanced Vulnerability Scanning

Updated: Nov 12


Welcome back, my aspiring cyberwarriors!


Nuclei is an advanced, open-source vulnerability scanner that has gained significant popularity among cybersecurity professionals, penetration testers and developers. Known for its exceptional speed, high degree of customizability, and accuracy in identifying security vulnerabilities, misconfigurations, and potential exploits across a wide range of digital assets and networks. This article will explore what makes Nuclei unique, review its key features and limitations, guide you through installation, and cover how to use it efficiently.





If you're serious about cybersecurity, you've probably heard about Nuclei. This isn’t your average vulnerability scanner—it’s a powerhouse built for speed, flexibility, and precision. Nuclei has quickly become a favorite among penetration testers, cybersecurity pros, and developers alike, and for good reason. It’s open-source, highly customizable, and delivers the kind of accuracy that most scanners can only dream of.


In this article, we’ll break down what makes Nuclei such a game-changer, explore its key features, cover the installation process, and guide you step-by-step through using it like a pro. Whether you're hunting for web app bugs or locking down critical network infrastructure, Nuclei is a tool you’ll want in your arsenal.




Key features


Let's start by defining the key advantages that have made Nuclei so popular:


1.    Template-based architecture for easy customization and sharing

2.    Support for multiple protocols (HTTP, DNS, TCP, FILE, etc.)

3.    Extensive library of pre-built templates

4.    Ability to create custom templates for specific use cases

5.    Integration capabilities with other security tools and CI/CD pipelines

6.    Low false-positive rate due to its precise matching algorithms


History of scanners and Nuclei


Vulnerability scanners have been a cornerstone of cybersecurity practices since the early days of network security. The evolution of these tools reflects the changing landscape of cyber threats and defensive strategies:


1990s: Early network scanners like SATAN (Security Administrator Tool for Analyzing Networks) emerged, focusing on known vulnerabilities in network services.


2000s: Web application scanners became prevalent as web-based threats increased. Tools like Nikto and Nessus gained popularity.


2010s: Cloud-based and distributed scanning solutions appeared, addressing the needs of larger, more complex networks.


2020: Nuclei was released by ProjectDiscovery, introducing a new paradigm in vulnerability scanning. Its template-based approach and focus on community-driven development set it apart from traditional scanners.


Nuclei addressed several limitations of traditional scanners:


•   Speed: Many older scanners were slow, especially when scanning large networks.


•   Accuracy: False positives were a common issue, leading to wasted time and resources.


•   Flexibility: Traditional scanners often had limited customization options.


•   Update frequency: Nuclei's community-driven model allows for rapid updates to detect new vulnerabilities.



Benefits of Nuclei:


1.  Speed: Nuclei's concurrent scanning capabilities allow it to process multiple targets simultaneously, significantly reducing scan times.


2.  Customizability: Users can create, modify, and share templates to detect specific vulnerabilities or adapt to unique environments.


3.  Accuracy: The template-based approach, combined with precise matching algorithms, reduces false positives.


4.  Versatility: Nuclei supports multiple protocols, making it suitable for various scanning scenarios.


5.  Community-driven: A large, active community contributes to a constantly growing and updating template library.


6.  Integration: Nuclei can be easily integrated into existing security workflows and CI/CD pipelines.


7.  Extensibility: Users can extend Nuclei's functionality through custom scripts and integrations.



Disadvantages of Nuclei:


1.  Learning curve: Creating effective custom templates requires understanding of both the target systems and Nuclei's template syntax.


2.  Resource intensive: While fast, Nuclei can be resource-intensive when scanning large networks or using many templates simultaneously.


3.  Requires careful configuration: Improper configuration could lead to missed vulnerabilities or, conversely, unnecessary network noise.


Installing Nuclei


To install nuclei, we have to first install Google's go language. Although Python is still the most popular language for cybersecurity tools, the Go Language is making inroads.


1.    Install Go

kali> sudo apt update
kali> sudo apt install golang-go

2.    Install Nuclei:


3.    Add Nuclei to your PATH:

kali> echo 'export PATH=$PATH:~/go/bin' >> ~/.bashrc
kali> source ~/.bashrc

4.    After installation, verify Nuclei is working by running:

kali> nuclei -version

The basic syntax of nuclei configurations


To ensure Nuclei functions correctly, the following is required:


•   .yaml Extension - Each template must have a .yaml file extension.


•   Unique Identifier - Every template must begin with a unique identifier (ID), which should not contain any spaces.


Template Information


•   Required Fields - Each template must include the fields author, name, and severity. It is also recommended to add a detailed description, references, and tags to clarify the template's purpose and functionality.


info:

  name: First template

  author: Air

  severity: high

  description: My first Nuclei template

  tags: first,sqli,learn,nuclei


Requests:


   Making Requests - To interact with a web application, you must define at least one request in the template. A request specifies the method, path, headers, body, and other parameters. Requests are defined in the template using the http field.


Next, you need to define the HTTP method for interacting with the site. The request method can be GET, POST, PUT, DELETE, etc., depending on the requirements.


•   Specifying the Path - The path is specified using the path field. Here’s an example of a request where Nuclei will query the file “secret_file.txt”:


http:

  method: GET

  path:

    - "{{BaseURL}}/secret_file.txt"


Instead of a direct URL, I used {{BaseURL}}—these are dynamic variables that can be inserted into the path to modify its behavior during runtime. Variables start with {{ and end with }} and are case-sensitive like all things in Linux.


Examples of Dynamic Variables:


Variable

Value

{{BaseURL}}

https://example.com:443/foo/bar.php

{{RootURL}}

https://example.com:443

{{Hostname}}

{{Host}}

{{Port}}

443

{{Path}}

/foo

{{File}}

bar.php

{{Scheme}}

https



Matchers:


•   Validation (Matchers) - Matchers are used to verify that the responses to your requests meet certain criteria. For example, you can check for the presence of a specific string in the server's response or a particular HTTP status code.


There are six types of matchers:

Matcher Type

Purpose

status

Validates the response by its status code.

size

Validates the response by its size.

word

Checks for the presence of a specified word in the response.

regex

Validates the response using regular expressions.

binary

Checks the response encoded in hex.

dsl

Creates more complex expressions using auxiliary functions.



Real-life Scenario Using Nuclei to Find Vulnerabilities


Scenario: A cyberwarrior is assessing a web application (vesti.ru) for vulnerabilities.


Step # 1: Reconnaissance


The hacker first gathers information about the target, including subdomains:

kali> subfinder -d vesti.ru | tee subdomains.txt

The “tee” command in Unix-like systems is used to both display the output of a command in the terminal and simultaneously write that output to a file.



Step # 2: Create custom templates for potential SQL injection and XSS vulnerabilities


The hacker creates two custom templates to further investigate these issues:

SQL Injection template (sqli-check.yaml):

 


For training purposes, only two payloads were added.     

 

XSS template (xss-check.yaml):



Step # 3: Run custom scans


kali> nuclei -u https://vesti.ru -t sqli-check.yaml,xss-check.yaml -o custom_results.txt

It seems that this Russian site is not vulnerable to such simple payloads, which is expected, but I think you get the idea.


Summary


Nuclei represents a significant leap forward in vulnerability scanning technology. Its combination of speed, accuracy, and customizability makes it an indispensable tool for cyberwarriors.

Recent Posts

See All
bottom of page