What features would you want to see in nuclei?

[ehsandeep]

Hello 👋🏻

We are keeping this discussion open, so everyone can share and exchange ideas.
Let us know what features would you like to see implemented, or ideas around how we could ease and improve the automation of your security processes.

p.s. don't forget to look at the existing feature requests first

[ramvalyalal]

Subdomain enumeration

[nigamelastic]

An html report from the outputs would be great along with editable cvss score

[anirbandas09]

Subdomain enumeration

[forgedhallpass]

Did you know that you can use our subfinder tool for passive subdomain enumeration, and dnsx for subdomain brute-forcing using a wordlist, which also supports wildcard detection? The tools can be chained via piping and you can pass the results to nuclei.

A couple of examples:

echo example.com | subfinder | dnsx | httpx | nuclei  # use passive subdomain enum, validate it with dnsx, identify HTTP servers and do a nuclei scan on them
dnsx -silent -d example.com -w dns_worldlist.txt # brute-force subdomain enumeration

[HackerAndya]

It would be sound too lazy but I would like in have new implementation where info low medium high severity results will store in respective files. I know there’s flag to see results by severity. But if we implement this then it’ll be more easy for checking.

[RAVE-V]

An option to quickly execute sub domain enum, nuclei and pipe other commonly used tools for easy and quickly formatting the results from all those tools.

[forgedhallpass]

With regards to subdomain enumeration:
#2539 (reply in thread)

[pikpikcu]

Hi @ehsandeep added info impact in nuclei-tempaltes.

[FaizanAfridi1992]

Sub-domain enumeration

[ehsandeep]

@pikpikcu do you mean having impact information included as part of the nuclei template?

[pikpikcu]

@ehsandeep Yup for them for beginners it is very difficult to understand the impact that is generated.

[bakliwalp]

I would suggest a feature where nuclei will save the output of the scan results according to the scan. For ex- if the result gives out Info-Disclosure, CVE, API Key Disclosure,etc then all the result be saved in there respective folders. It would be helpful to see the segregated results.

[Zaarc]

I always thought nuclei has amazing potential to grow. I would suggest to make use of automation through integration with amass for subdomain enumeration. Imagine the power behind this. Fast and automatic. ♥️

[forgedhallpass]

With regards to subdomain enumeration:
#2539 (reply in thread)

[kubota]

Integration with amass, will be great! WOwwww

[thebinarybot]

🚀 Might sound crazy, but how about Web3 templates? How would templatizing solidity scans be?

The market is very new and I am not sure if this is possible. But given that we have automated scanners for Web3, this should be in the reach I guess.

[NickBot09]

A search engine functionality to search templates using a specific keyword for ex :- if we search for WordPress templates related to that could be displayed, this would ease the search of templates and instead of scanning all general category, we could scan according to target

P.s. general category here means all templates under low severity and like that

[forgedhallpass]

There are already multiple options to filter templates.

See the FILTERING category in the nuclei help:

FILTERING:
   -a, -author string[]               templates to run based on authors (comma-separated, file)
   -tags string[]                     templates to run based on tags (comma-separated, file)
   -etags, -exclude-tags string[]     templates to exclude based on tags (comma-separated, file)
   -itags, -include-tags string[]     tags to be executed even if they are excluded either by default or configuration
   -id, -template-id string[]         templates to run based on template ids (comma-separated, file)
   -eid, -exclude-id string[]         templates to exclude based on template ids (comma-separated, file)
   -it, -include-templates string[]   templates to be executed even if they are excluded either by default or configuration
   -et, -exclude-templates string[]   template or template directory to exclude (comma-separated, file)
   -em, -exclude-matchers string[]    template matchers to exclude in result
   -s, -severity value[]              templates to run based on severity. Possible values: info, low, medium, high, critical, unknown
   -es, -exclude-severity value[]     templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown
   -pt, -type value[]                 templates to run based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois
   -ept, -exclude-type value[]        templates to exclude based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois

Some examples:

nuclei -tags wordpress -vv # load and display all templates that have a wordpress tag
nuclei -tags wordpress -vv -exclude-severity info,low # the same as above, but excludes templates with low and information severities
nuclei -tl |& grep -i wordpress # you can use grep to filter the whole template list

You can also use the -automatic-scan flag that only executes templates related to technologies found by wappalyzer.

There's even a workflow that executes all relevant templates if the technology detection template founds hosts running WordPress.

[H2Cyber]

Is there a way to display the description of templates, or to search based on a particular CVE ?

[dexter-005]

Sub domain enumeration need to include. Love this project

[forgedhallpass]

With regards to subdomain enumeration: #2539 (reply in thread)

[azwisec]

Nuclei is a powerfull tool. I love to use

[ramsayotaku]

Currently, I'm happy with the features nuclei provides. It's an amazing project and helped alot. I'm new in cybersecurity and current features are enough for me.

Kudos to you all.

[ajmalabubakkr]

If there is a pdf/docx report generating option then it would be cool

[forgedhallpass]

Did you know that you can export in markdown format? We could indeed add PDF generation, but until that happens, you can use pandoc to generate PDFs from MarkDown files.

[ajmalabubakkr]

I am aware of the Markdown feature but , u know! some clients needs every scanning results in pdf/docx , thanks for suggesting pandoc , I will surely try ❤️

[daffainfo]

I want nuclei to automatically input the API key automatically from scanning using these template /file/keys to /token-spray template. So nuclei will work amazingly like trufflehog

But we need to create a apikey template with nice regex

[baibhavanand]

The JSON output gives a curl request which is great.
However, for some DNS issues, it would be great if it gave dig commands also in the JSON output.
Everything else feels superb, the tool is very well built.
KUDOS!

[johnk3r]

JA3/JA3s as we have in HTTPX.

[ehsandeep]

should be possible with tlsx integration - #2522, currently in the dev branch.

[ayadim]

in nuclei-burp-extension ..i hope you add drop-down list/ right click to scan a request in history with a nuclei template that i want, it will be great movment

[forgedhallpass]

Various scanning options will be added in version 1.2.x of the plugin. You can subscribe to the following ticket for updates: projectdiscovery/nuclei-burp-plugin#30 (comment)

[JaneX8]

Great tool but here are some hopefully helpful ideas:

• Follow up request(s) based on output(s) of previous request - Run a DNS query for every nameserver #2934. I can think of many cases where I could use this for DNS and HTTP requests
• Request succeeding matchers - Matchers conditions that succeed requests? #2936
• Port (open/filtered/closed) test ability - Detect open TCP ports #2940
• ICMP requests - Are ICMP requests possible? #2938
• Now WHOIS requests use an external API, the main thing I miss there is the Extensible Provisioning Protocol (EPP) information. Like epp#ok.
• DNA type TLSA support - Missing DNS type TLSA #2942
• Extractors that can return variable contents like from {{RDN}} or {{FQDN}}, that's helpful in some cases
• Ability to get the Pointer Record (PTR) record of an IP address
• An easier (or better documented) way do deal with cookies or specifically (one header line). Now I can use part: header but that is still matching over all headers while sometimes I want to check if a header exists and only then do additional matching on that particular header alone, not all other header contents.

Also, I think at some points the documentation lacks and could be better. But I understand that's time-consuming and it's an open source project. In particular I miss documentation regarding the use of more advanced regex. Like with matcher groups, non-matcher groups but also escaping characters in regex et cetera. Also documentation regarding TLS and WHOIS is very limited.

[ehsandeep]

@JaneX8 thanks for sharing all the suggestions; there are a couple of features that are already supported, but as you pointed out not documented very well, and we intend to update/improve them.

Feel free to join our community server - https://discord.gg/projectdiscovery if you have more ideas/questions for exisitng features.

[0xSebin]

A feature like a VPN or any to not getting IP blocked or blacklisted.
That would be nice.

[zy9ard3]

#2634

[marcelo321]

Removing "[INF] Skipped xxxx from target list as found unresponsive 30 times" as output

[ehsandeep]

#3138

[zy9ard3]

I believe it would be grateful if nuclei can be integrated with AWS API gateway ( like IProtate Burp Ext ) to spin up requests through Amazon API gateway to avoid IP based blockings and get more efficient results

I have seen the present Nuclei engine has feature of similar to the above on -p/ -proxy, but instead of providing input proxy list it will be more efficient if the requests start passing via automatic AWS API gateway

Refer : #2634

[ehsandeep]

@zy9ard3 AWS API gateway solution works against a single/targeted endpoint, unlike in nuclei, where you scan multiple targets, are you looking to use nuclei for a single target using this implementation?

[zy9ard3]

@ehsandeep

Yes, As the integration is possible over single host more specifically when running with query-fuzzing templates where possibilities of IPs being blocked by WAF even when it detects over one simple blacklisted payload word

Or can run against hosts from lists of targets which are blocked by WAF at first place

[zy9ard3]

Hello @projectdiscovery team,

It would be more helpful if get an implementation to compare matchers for fuzzing templates with part as ;

query_1 , query_2 , query_3 and so on... like other parts body_1, body_2, response_1, response_2, etc...

This can be helpful in detecting & confirming issues on time based and also to avoid false positives,

For ex ;

• The queries of request 1 can be treated as query_1
• The queries of request 2 can be treated as query_2
• And comparing the response time of request 1 vs request 2

Thanks & Regards,
@zy9ard3

[XTeam-Wing]

supports redis and implements distributed scanning

[cybertron10]

I want to see a burp plugin which can be integrated with nuclei to perform authenticated scan like its available in jaeles project
https://jaeles-project.github.io/installation/burp-integration/

[xli-world]

when will you support fuzzing on path, header, body and cookie

[MrCl0wnLab]

Shell Exec

• Possibility of, when detecting something positive, execute a shell command line.
• Possibility of, when detecting something positive, execute a shell command line in templates.

COMMAND LINE / accessing variables

Eg.:

nuclei --var HOST='https://blog.mrcl0wn.com/' -t my-template-wp-db.yaml --shell-exec 'python exploit.py -t "HOST"'

COMMAND LINE / accessing dynamic variables

• https://nuclei.projectdiscovery.io/templating-guide/protocols/http/
  Eg.:

nuclei -u 'https://142.251.132.X' -t ipwhois-shell-exec.yaml

TEMPLATE

Eg.:

id: check-string-shell-exec

info:
  name: Check String and Shell Exec
  author: Mrcl0wn
  description:  Check String and Execute the commands via shell and return the complete output as a string
  tags: shell
self-contained: true
requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        part: body
        words:
          - "STRING VULN"
      - type: status
        status:
          - 200
    shell-exec:
          - type: cmd
            cmd:
              - 'python exeploit.py {{BaseURL}}'

[huclilu]

I think it is a very good suggestion that the result can be output HTML report, which will help us see the vulnerability more clearly

[qianbenhyu]

perhaps we could use entity code to avoid xss injiection.

[huclilu]

Oh, you're right

[KarimReda-CS]

It would be great if it is possible for a matcher to be associated to a specific request. For example, let's say I want to test if after 5 attempts, I won't be able to input any username and password. To test that, I would send 6 requests and the block will happen only on the 6th one. The nuclei template that I write will need to trigger if the block didn't happen on the 6th request, but if I write a matcher, it would be also triggered by the first 5 which is kinda annoying. So it would be great if you would be able to associate the matcher to a specific request and not all of them.

[ehsandeep]

this is already supported, see https://docs.nuclei.sh/template-guide/http/base-http#request-condition

[TI4NLI4NG]

When there are multiple requests in a template, when using the - j parameter to output JSON format results, only the detailed data of one of the multiple requests will be saved in the results. Can other requests related to the vulnerability also be returned.

[PfiatDe]

A progressbar or pressing a button, e.g. "s" for a status (done, remaining requests, rate/s so far, ETA) would be cool.

[badboycxcc]

I hope to provide a service or API interface, through which I can upload URLs and yaml content, so that I can better use go code for integrated development