DAST with Nuclei
Overview
Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery that uses YAML templates to detect security vulnerabilities, misconfigurations, and exposures across web applications, APIs, networks, and cloud infrastructure. With 7,000+ community templates covering CVEs, OWASP vulnerabilities, and custom checks, Nuclei provides efficient automated security testing with minimal false positives.
Quick Start
Installation
# Install via Go
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or using Docker
docker pull projectdiscovery/nuclei:latest
# Update templates (automatically downloads 7000+ community templates)
nuclei -update-templates
Basic Vulnerability Scan
# Scan single target with all templates
nuclei -u https://target-app.com
# Scan with specific severity levels
nuclei -u https://target-app.com -severity critical,high
# Scan multiple targets from file
nuclei -list targets.txt -severity critical,high,medium -o results.txt
Quick CVE Scan
# Scan for specific CVEs
nuclei -u https://target-app.com -tags cve -severity critical,high
# Scan for recent CVEs
nuclei -u https://target-app.com -tags cve -severity critical -template-condition "contains(id, 'CVE-')"
Core Workflow
Workflow Checklist
Progress: [ ] 1. Install Nuclei and update templates to latest version [ ] 2. Define target scope (URLs, domains, IP ranges) [ ] 3. Select appropriate templates based on target type and risk tolerance [ ] 4. Configure scan parameters (rate limiting, severity, concurrency) [ ] 5. Execute scan with proper authentication if needed [ ] 6. Review findings, filter false positives, and verify vulnerabilities [ ] 7. Map findings to OWASP/CWE frameworks [ ] 8. Generate security report with remediation guidance
Work through each step systematically. Check off completed items.
Step 1: Template Selection and Target Scoping
Identify target applications and select relevant template categories:
# List available template categories
nuclei -tl
# List templates by tag
nuclei -tl -tags owasp
nuclei -tl -tags cve,misconfig
# Show template statistics
nuclei -tl -tags cve -severity critical | wc -l
Template Categories:
- cve: Known CVE vulnerabilities (7000+ CVE templates)
- owasp: OWASP Top 10 vulnerabilities
- misconfig: Common security misconfigurations
- exposed-panels: Admin panels and login pages
- takeovers: Subdomain takeover vulnerabilities
- default-logins: Default credentials
- exposures: Sensitive file and data exposures
- tech: Technology detection and fingerprinting
Target Scoping Best Practices:
- Create target list excluding third-party services
- Group targets by application type for focused scanning
- Define exclusions for sensitive endpoints (payment, logout, delete actions)
Step 2: Configure Scan Parameters
Set appropriate rate limiting and concurrency for target environment:
# Conservative scan (avoid overwhelming target)
nuclei -u https://target-app.com \
-severity critical,high \
-rate-limit 50 \
-concurrency 10 \
-timeout 10
# Aggressive scan (faster, higher load)
nuclei -u https://target-app.com \
-severity critical,high,medium \
-rate-limit 150 \
-concurrency 25 \
-bulk-size 25
Parameter Guidelines:
- rate-limit: Requests per second (50-150 typical, lower for production)
- concurrency: Parallel template execution (10-25 typical)
- bulk-size: Parallel host scanning (10-25 for multiple targets)
- timeout: Per-request timeout in seconds (10-30 typical)
For CI/CD integration patterns, see scripts/nuclei_ci.sh.
Step 3: Execute Targeted Scans
Run scans based on security objectives:
Critical Vulnerability Scan:
# Focus on critical and high severity issues
nuclei -u https://target-app.com \
-severity critical,high \
-tags cve,owasp \
-o critical-findings.txt \
-json -jsonl-export critical-findings.jsonl
Technology-Specific Scan:
# Scan specific technology stack
nuclei -u https://target-app.com -tags apache,nginx,wordpress,drupal
# Scan for exposed sensitive files
nuclei -u https://target-app.com -tags exposure,config
# Scan for authentication issues
nuclei -u https://target-app.com -tags auth,login,default-logins
API Security Scan:
# API-focused security testing
nuclei -u https://api.target.com \
-tags api,graphql,swagger \
-severity critical,high,medium \
-header "Authorization: Bearer $API_TOKEN"
Custom Template Scan:
# Scan with organization-specific templates
nuclei -u https://target-app.com \
-t custom-templates/ \
-t nuclei-templates/http/cves/ \
-severity critical,high
Step 4: Authenticated Scanning
Perform authenticated scans for complete coverage:
# Scan with authentication headers
nuclei -u https://target-app.com \
-header "Authorization: Bearer $AUTH_TOKEN" \
-header "Cookie: session=$SESSION_COOKIE" \
-tags cve,owasp
# Scan with custom authentication using bundled script
python3 scripts/nuclei_auth_scan.py \
--target https://target-app.com \
--auth-type bearer \
--token-env AUTH_TOKEN \
--severity critical,high \
--output auth-scan-results.jsonl
For OAuth, SAML, and MFA scenarios, see references/authentication_patterns.md.
Step 5: Results Analysis and Validation
Review findings and eliminate false positives:
# Parse JSON output for high-level summary
python3 scripts/parse_nuclei_results.py \
--input critical-findings.jsonl \
--output report.html \
--group-by severity
# Filter and verify findings
nuclei -u https://target-app.com \
-tags cve \
-severity critical \
-verify \
-verbose
Validation Workflow:
- Review critical findings first (immediate action required)
- Verify each finding manually (curl, browser inspection, PoC testing)
- Check for false positives using
references/false_positive_guide.md - Map confirmed vulnerabilities to OWASP Top 10 using
references/owasp_mapping.md - Cross-reference with CWE classifications for remediation patterns
Feedback Loop Pattern:
# 1. Initial scan
nuclei -u https://target-app.com -severity critical,high -o scan1.txt
# 2. Apply fixes to identified vulnerabilities
# 3. Re-scan to verify remediation
nuclei -u https://target-app.com -severity critical,high -o scan2.txt
# 4. Compare results to ensure vulnerabilities are resolved
diff scan1.txt scan2.txt
Step 6: Reporting and Remediation Tracking
Generate comprehensive security reports:
# Generate detailed report with OWASP/CWE mappings
python3 scripts/nuclei_report_generator.py \
--input scan-results.jsonl \
--output security-report.html \
--format html \
--include-remediation \
--map-frameworks owasp,cwe
# Export to SARIF for GitHub Security tab
nuclei -u https://target-app.com \
-severity critical,high \
-sarif-export github-sarif.json
See assets/report_templates/ for customizable report formats.
Automation & CI/CD Integration
GitHub Actions Integration
# .github/workflows/nuclei-scan.yml
name: Nuclei Security Scan
on: [push, pull_request]
jobs:
nuclei:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.target-app.com
severity: critical,high
templates: cves,owasp,misconfig
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: nuclei.sarif
Docker-Based CI/CD Scanning
# Run in CI/CD pipeline with Docker
docker run --rm \
-v $(pwd):/reports \
projectdiscovery/nuclei:latest \
-u $TARGET_URL \
-severity critical,high \
-json -jsonl-export /reports/nuclei-results.jsonl
# Check exit code and fail build on cr