Where does nuclei fit into your pipeline/use cases?

[ehsandeep]

Hello 👋🏻

We are keeping this “Show and Tell” discussion open, so anyone can describe how and where they are utilizing nuclei. By sharing, you not only help the community, but also enable us, maintainers, to better prioritize features in our backlogs.

[bakliwalp]

Hello Nuclei Maintainers. Hope you all are doing well. First of all I would like to thank you for making such great tool. I love to use Nuclei so much. I use it on almost daily basis.
For me I have created my own Recon script in which I have enter the command for the Nuclei scan depending upon the results. So it helps me in my initial recon phase and help me to get a head start in my bug hunting process.
Again thank you for such great tool and keep making such great tool.

[themarkib]

I am doing some automation and currently learning to create custom templates to make my recon better.

[anuragdadhich78]

Can we go without custom templates?

[ghost]

YAML format makes it easy to create customizable templates and modify them on the run in case of changes in the infrastructure. Integrating those scans in the development cycle gives us the possibility to quickly run them at different stages in the development phase, even multiple times. The possibility to create tailored templates works wonders against false positives, differently from other scanners.

[azwisec]

Nice

[48h153k]

For recon and also to first scanning the target for its security postures and findings accordingly.

[Zer0CodeX]

Always start automation while do manual testing

[Cybergingey]

Currently learning to use yaml, so being able to use the custom yaml format is extremely useful!

[moein9]

I think nuclei need s YouTube channel to guide newbie to make their own templates,

Except that nuclei is 💯

[forgedhallpass]

Soon 😉

[nextep]

1st smoke test, if something comes up then functionality may be affected if plugged so no point to test further. Saves a lot of time

[nextep]

Thanks @forgedhallpass

[abdulx01]

I love nuclei that's amazing feature. It's very easy and powerful tool.for every bug hunter and Red Teamer.

[FaizanAfridi1992]

Currently new to this, exploring it.

[bhuwanpatidar]

Easy To find Hanging Fruits ...........

good for Enumeration too

At last it's the hurt of Hunters ..... :)

[zeeshan1991k]

CVE pentesting.

[MalwareJuice]

Just after subdomain enumeration

[Saket-taneja]

We would integrating it in the DAST Process or Test , Deploy and maintain to regurlarly check for the ongoing vulnerabilities

[geeknik]

My pipeline goes a little something like this:

subfinder -> dnsx -> naabu -> httpx -> nuclei
then other tools maybe, but this is what I like to use
To find subdomains and assets that I can abuse
With a little bit of luck, I'll find what I need
And get access to whatever I please

[parul-cloud]

Using nuclei for scanning is very optimal and very easy to use. Would love if the creators consider cloud security standpoint.

[AbhinavCSY]

Is there a Splunk app for this, I can install the Splunk app on my deployment and use the dashboard.

[AbhinavCSY]

Well, Nuclei have a wide range of rules written, and easy to create one. If possible can we have something on UI like https://editor.cilium.io/ , a whole interactive UI easy to understand and create rules.

[othaime-en]

I just started using it yesterday. So I am still trying to find the perfect fit on how I can use it to enhance my workflow. Iguess recon will be a good starting point.

[AXRoux]

I use nuclei as one of my main tools when conducting web application security assessments. It allows me to quickly and easily scan for a variety of vulnerabilities, which saves me a lot of time and makes my job easier. I would highly recommend nuclei to anyone looking for a fast and reliable vulnerability scanner. Additionally , the fact that it is based on a simple YAML-based DSL makes it very easy to use and customize. Overall, I believe nuclei is an excellent tool that can be extremely useful for web application security assessments.

[noraj]

Nuclei is integrated into reNgine that I use as all-in-one discovery platform installed on a VPS. I can throw a list of subdomain and have a general overview of the scope.

[shockz-offsec]

Always run nuclei while I'm doing some manual pentest.

[hasharmujahid]

Don't mind me .Here for a giveaway 😂

[DeepNakrani19]

Currently using default templates for vulnerability scanning. Still a lot to learn...😁

[shockz-offsec]

Ye its for giveaway xD I use custom templates for nuclei, and defaults for comon vulns like headers or some quick detection of software

[anindya14]

For me, since I am new to using nuclei.. I just stick to finding the low hanging fruits as of now.. but I plan on learning to write templates..

[casmpy]

Tbh, Nuclei is like work as catalyst to my recon.

[Ishaankumar0]

Awesome tool. Easy to understand YAML templates, and also pretty customizable. Tools like these are difficult to replace.

[chiekosec]

For "n" number of domains with "y" number of endpoints and "z" amount of payloads, it really increases the the complexity (nyz) and time to scan for certain issues. Thanks for the pd-nuclei for making this process reasonably simpler. I use it in my semi-automation scripts for appropriate notifications that saves me a ton of time as well with lesser false positives.

[XTeam-Wing]

I integrated it into my scanner as a lib library reference, but there would be a memory leak problem, and finally I could only use binary. Can I access redis

[ehsandeep]

but there would be a memory leak problem

@XTeam-Wing do you have more details to share about it? possibly open a GH issue with details?

[heywoodlh]

I set up Nuclei for cloud-native, automated vulnerability scanning in my Kubernetes cluster. How it works in my setup is that I have a helper container that populates a target list using Kubernetes' internal DNS resolution (i.e. someservice.default.svc.cluster.local), which Nuclei then uses to scan against. I have also configured Nuclei to upload to Project Discovery Cloud. See the details below for my full configuration.

The following configuration should work as-is with some requirements:

1. Internal Cluster DNS resolution for services needs to be working as expected in a default cluster: servicename.namespace.svc.cluster.local
2. Change the CHANGEME portion of the nuclei-api-key secret to match your Project Discovery Cloud API token

---

---
apiVersion: v1
kind: Namespace
metadata:
  name: nuclei
---
apiVersion: v1
kind: Secret
metadata:
  name: nuclei-api-key
  namespace: nuclei
data:
  api_key: CHANGEME
type: Opaque
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nuclei
  namespace: nuclei
  labels:
    app.kubernetes.io/name: nuclei
    app.kubernetes.io/instance: nuclei
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: nuclei
  name: nuclei
rules:
- apiGroups: [""]
  resources: ["services","namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["nuclei-target-list"]
  verbs: ["create", "update", "get", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  resourceNames: ["nuclei-target-updater-init"]
  verbs: ["get", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nuclei
  namespace: nuclei
subjects:
- kind: ServiceAccount
  name: nuclei
  namespace: nuclei
roleRef:
  kind: ClusterRole
  name: nuclei
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nuclei-conf
  namespace: nuclei
data:
  nuclei.conf: |-
    interactsh-server: http://nuclei-interactsh # should match the name of interactsh.service.name
    list: /config/target-list.txt
    # Headers to include with all HTTP request
    #header:
    #  - 'X-BugBounty-Hacker: h1/geekboy'
    # Directory based template execution
    #templates:
    #  - cves/
    #  - vulnerabilities/
    #  - misconfiguration/
    # Tags based template execution
    #tags: exposures,cve
    # Template Filters
    #tags: exposures,cve
    #author: geeknik,pikpikcu,dhiyaneshdk
    #severity: critical,high,medium
    # Template Allowlist
    #include-tags: dos,fuzz # Tag based inclusion (allows overwriting nuclei-ignore list)
    #include-templates: # Template based inclusion (allows overwriting nuclei-ignore list)
      #- vulnerabilities/xxx
      #- misconfiguration/xxxx
    # Template Denylist
    #exclude-tags: info # Tag based exclusion
    #exclude-templates: # Template based exclusion
      #- vulnerabilities/xxx
      #- misconfiguration/xxxx
    # Rate Limit configuration
    #rate-limit: 500
    #bulk-size: 50
    #concurrency: 50
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nuclei-target-list
  namespace: nuclei
---
apiVersion: v1
kind: Pod
metadata:
  name: nuclei-target-updater-init
  namespace: nuclei
spec:
  serviceAccountName: nuclei
  containers:
    - name: nuclei-target-updater
      image: "docker.io/heywoodlh/k8s-service-scanner:latest"
      imagePullPolicy: IfNotPresent
      command: ["/bin/bash", "-c"]
      args: [
        "/entrypoint | sort -u | tee /out/target-list.txt && kubectl create configmap -n nuclei nuclei-target-list --from-file=/out/target-list.txt --dry-run=client -o yaml | kubectl apply -f - && kubectl delete pod nuclei-target-updater-init -n nuclei"
      ]
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: nuclei-target-updater
  namespace: nuclei
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: nuclei
          containers:
          - name: nuclei-target-updater
            image: "docker.io/heywoodlh/k8s-service-scanner:latest"
            imagePullPolicy: IfNotPresent
            command: ["/bin/bash", "-c"]
            args: [
              "/entrypoint | sort -u | tee /out/target-list.txt && kubectl create configmap -n nuclei nuclei-target-list --from-file=/out/target-list.txt --dry-run=client -o yaml | kubectl apply -f -"
            ]
          restartPolicy: OnFailure
---
apiVersion: v1
kind: Service
metadata:
  name: nuclei-interactsh
  namespace: nuclei
  labels:
    app.kubernetes.io/name: nuclei-interactsh
    app.kubernetes.io/instance: nuclei
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: nuclei-interactsh
    app.kubernetes.io/instance: nuclei
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nuclei-interactsh
  namespace: nuclei
  labels:
    app.kubernetes.io/name: nuclei-interactsh
    app.kubernetes.io/instance: nuclei
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: nuclei-interactsh
      app.kubernetes.io/instance: nuclei
  template:
    metadata:
      labels:
        app.kubernetes.io/name: nuclei-interactsh
        app.kubernetes.io/instance: nuclei
    spec:
      serviceAccountName: nuclei
      containers:
        - name: nuclei-interactsh
          image: "docker.io/projectdiscovery/interactsh-server:v1.1.9"
          imagePullPolicy: IfNotPresent
          command: ["interactsh-server", "-skip-acme", "-d", "nuclei-interactsh"]
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: nuclei
  namespace: nuclei
spec:
  schedule: "0 0 * * Sun"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: nuclei
            image: "docker.io/heywoodlh/nuclei:v3.2.0-dev"
            imagePullPolicy: IfNotPresent
            command: ["/bin/ash", "-c"]
            args: [
              "nuclei -config=/config/nuclei.conf -iserver 'http://nuclei-interactsh' -auth=$(NUCLEI_API_KEY) -cloud-upload"
            ]
            env:
              - name: NUCLEI_API_KEY
                valueFrom:
                  secretKeyRef:
                    name: nuclei-api-key
                    key: api_key
            volumeMounts:
              - name: nuclei-conf
                mountPath: /config/nuclei.conf
                subPath: nuclei.conf
              - name: nuclei-target-list
                mountPath: /config/target-list.txt
                subPath: target-list.txt
          restartPolicy: OnFailure
          volumes:
            - name: nuclei-conf
              configMap:
                name: nuclei-conf
            - name: nuclei-target-list
              configMap:
                name: nuclei-target-list

[ehsandeep]

@heywoodlh thank you for sharing this!

[olearycrew]

This is great - thanks for sharing @heywoodlh !