Nuclei is a comprehensive tool for automated vulnerability scanning, designed to help security professionals detect a wide range of exploits using customizable templates. In this blog post we’ll explore Nuclei’s template system, how to use custom templates, key configuration options like rate limiting and multithreading, and how to include or exclude certain exploit severities.

Nuclei operates using a declarative, template-based, approach to define the types of scans it performs. Each template is a YAML file that specifies the details of the vulnerabilities or misconfigurations to scan for, making it easy to customize and share.

Template Structure

A typical Nuclei template contains the following key sections:

• Info: Contains metadata about the template, such as its name, author, severity, and tags.
• Request: Defines the HTTP requests or payloads sent to the target.
• Matchers: Specifies how Nuclei identifies a successful match, such as by response codes, response timing, headers, or body patterns.

Here’s an example template:

id: example-template
info:
  name: Example Template
  author: your-name
  severity: medium

requests:
  - method: GET
  path:
    - "{{BaseURL}}/example-path"

  matchers:
    - type: word
      words:
        - "Example Match"

Writing Your Own Templates

To create a custom template, follow the structure above and save the file with a .yaml extension in a directory accessible to Nuclei. You can modify the info and requests sections to fit your use case. For example, if you’re scanning for a specific header:

id: header-check

info:
  name: Custom Header Check
  author: your-name
  severity: low

requests:
  - method: GET
  path:
    - "{{BaseURL}}"

  matchers:
    - type: header
      part: header
      words:
        - "X-Custom-Header"

Using Existing Templates

Nuclei has a large repository of templates maintained by the community and project maintainers. You can find official templates in the Nuclei Templates GitHub repository. For community-created templates, platforms like HackTricks and security forums often share useful resources.

To use these templates, clone the repository or download the .yaml files to your local system. Then, point Nuclei to the directory containing the templates.

nuclei -t /path/to/templates

Key Configuration Options

Rate Limiting

Rate limiting allows you to control how many requests Nuclei sends per second. This can help you avoid overwhelming the target or triggering rate limits on web servers and portals like Cloudflare or other CDNs.

Use the -rl flag to set a limit on the number of requests per second:

nuclei -t /path/to/templates -rl 50

In this example, Nuclei will send up to 50 requests per second.

Threads

The -c flag controls the number of concurrent threads Nuclei uses. Adjusting this can help optimize performance based on your system resources and network conditions.

nuclei -t /path/to/templates -c 20

Here, Nuclei will use 20 threads to perform scans.

Severity Filtering

Nuclei templates include a severity field (e.g., info, low, medium, high, critical). You can filter templates based on these severities using the -severity flag:

To include only specific severities:

  nuclei -t /path/to/templates -severity high,critical

To exclude specific severities:

nuclei -t /path/to/templates -exclude-severity info,low

This allows you to focus on exploits that match your risk tolerance for detection or your scanning goals.

Putting It All Together

Here’s an example command that uses multiple options:

nuclei -t /path/to/templates -rl 100 -c 50 -severity medium,high,critical

In this case, Nuclei will:

• Use templates from the specified directory.
• Limit requests to 100 per second.
• Use 50 threads.
• Scan only for exploits with medium, high, or critical severities.

Conclusion

Nuclei’s flexibility and template-driven design make it a powerful tool for vulnerability scanning. By leveraging custom templates, configuring rate limits and threads, and filtering by severity, you can tailor your scans to meet your specific needs. Be sure to explore the official Nuclei Templates GitHub repository and other resources for ready-made templates and inspiration.

Happy scanning!