dast-nuclei

What this skill does

# DAST with Nuclei

## Overview

Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery that uses YAML templates to detect
security vulnerabilities, misconfigurations, and exposures across web applications, APIs, networks, and cloud
infrastructure. With 7,000+ community templates covering CVEs, OWASP vulnerabilities, and custom checks, Nuclei
provides efficient automated security testing with minimal false positives.

## Quick Start

### Installation

```bash
# Install via Go
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Or using Docker
docker pull projectdiscovery/nuclei:latest

# Update templates (automatically downloads 7000+ community templates)
nuclei -update-templates
```

### Basic Vulnerability Scan

```bash
# Scan single target with all templates
nuclei -u https://target-app.com

# Scan with specific severity levels
nuclei -u https://target-app.com -severity critical,high

# Scan multiple targets from file
nuclei -list targets.txt -severity critical,high,medium -o results.txt
```

### Quick CVE Scan

```bash
# Scan for specific CVEs
nuclei -u https://target-app.com -tags cve -severity critical,high

# Scan for recent CVEs
nuclei -u https://target-app.com -tags cve -severity critical -template-condition "contains(id, 'CVE-')"
```

## Core Workflow

### Workflow Checklist

Progress:
[ ] 1. Install Nuclei and update templates to latest version
[ ] 2. Define target scope (URLs, domains, IP ranges)
[ ] 3. Select appropriate templates based on target type and risk tolerance
[ ] 4. Configure scan parameters (rate limiting, severity, concurrency)
[ ] 5. Execute scan with proper authentication if needed
[ ] 6. Review findings, filter false positives, and verify vulnerabilities
[ ] 7. Map findings to OWASP/CWE frameworks
[ ] 8. Generate security report with remediation guidance

Work through each step systematically. Check off completed items.

### Step 1: Template Selection and Target Scoping

Identify target applications and select relevant template categories:

```bash
# List available template categories
nuclei -tl

# List templates by tag
nuclei -tl -tags owasp
nuclei -tl -tags cve,misconfig

# Show template statistics
nuclei -tl -tags cve -severity critical | wc -l
```

**Template Categories:**
- **cve**: Known CVE vulnerabilities (7000+ CVE templates)
- **owasp**: OWASP Top 10 vulnerabilities
- **misconfig**: Common security misconfigurations
- **exposed-panels**: Admin panels and login pages
- **takeovers**: Subdomain takeover vulnerabilities
- **default-logins**: Default credentials
- **exposures**: Sensitive file and data exposures
- **tech**: Technology detection and fingerprinting

**Target Scoping Best Practices:**
- Create target list excluding third-party services
- Group targets by application type for focused scanning
- Define exclusions for sensitive endpoints (payment, logout, delete actions)

### Step 2: Configure Scan Parameters

Set appropriate rate limiting and concurrency for target environment:

```bash
# Conservative scan (avoid overwhelming target)
nuclei -u https://target-app.com \
  -severity critical,high \
  -rate-limit 50 \
  -concurrency 10 \
  -timeout 10

# Aggressive scan (faster, higher load)
nuclei -u https://target-app.com \
  -severity critical,high,medium \
  -rate-limit 150 \
  -concurrency 25 \
  -bulk-size 25
```

**Parameter Guidelines:**
- **rate-limit**: Requests per second (50-150 typical, lower for production)
- **concurrency**: Parallel template execution (10-25 typical)
- **bulk-size**: Parallel host scanning (10-25 for multiple targets)
- **timeout**: Per-request timeout in seconds (10-30 typical)

For CI/CD integration patterns, see `scripts/nuclei_ci.sh`.

### Step 3: Execute Targeted Scans

Run scans based on security objectives:

**Critical Vulnerability Scan:**
```bash
# Focus on critical and high severity issues
nuclei -u https://target-app.com \
  -severity critical,high \
  -tags cve,owasp \
  -o critical-findings.txt \
  -json -jsonl-export critical-findings.jsonl
```

**Technology-Specific Scan:**
```bash
# Scan specific technology stack
nuclei -u https://target-app.com -tags apache,nginx,wordpress,drupal

# Scan for exposed sensitive files
nuclei -u https://target-app.com -tags exposure,config

# Scan for authentication issues
nuclei -u https://target-app.com -tags auth,login,default-logins
```

**API Security Scan:**
```bash
# API-focused security testing
nuclei -u https://api.target.com \
  -tags api,graphql,swagger \
  -severity critical,high,medium \
  -header "Authorization: Bearer $API_TOKEN"
```

**Custom Template Scan:**
```bash
# Scan with organization-specific templates
nuclei -u https://target-app.com \
  -t custom-templates/ \
  -t nuclei-templates/http/cves/ \
  -severity critical,high
```

### Step 4: Authenticated Scanning

Perform authenticated scans for complete coverage:

```bash
# Scan with authentication headers
nuclei -u https://target-app.com \
  -header "Authorization: Bearer $AUTH_TOKEN" \
  -header "Cookie: session=$SESSION_COOKIE" \
  -tags cve,owasp

# Scan with custom authentication using bundled script
python3 scripts/nuclei_auth_scan.py \
  --target https://target-app.com \
  --auth-type bearer \
  --token-env AUTH_TOKEN \
  --severity critical,high \
  --output auth-scan-results.jsonl
```

For OAuth, SAML, and MFA scenarios, see `references/authentication_patterns.md`.

### Step 5: Results Analysis and Validation

Review findings and eliminate false positives:

```bash
# Parse JSON output for high-level summary
python3 scripts/parse_nuclei_results.py \
  --input critical-findings.jsonl \
  --output report.html \
  --group-by severity

# Filter and verify findings
nuclei -u https://target-app.com \
  -tags cve \
  -severity critical \
  -verify \
  -verbose
```

**Validation Workflow:**
1. Review critical findings first (immediate action required)
2. Verify each finding manually (curl, browser inspection, PoC testing)
3. Check for false positives using `references/false_positive_guide.md`
4. Map confirmed vulnerabilities to OWASP Top 10 using `references/owasp_mapping.md`
5. Cross-reference with CWE classifications for remediation patterns

**Feedback Loop Pattern:**
```bash
# 1. Initial scan
nuclei -u https://target-app.com -severity critical,high -o scan1.txt

# 2. Apply fixes to identified vulnerabilities

# 3. Re-scan to verify remediation
nuclei -u https://target-app.com -severity critical,high -o scan2.txt

# 4. Compare results to ensure vulnerabilities are resolved
diff scan1.txt scan2.txt
```

### Step 6: Reporting and Remediation Tracking

Generate comprehensive security reports:

```bash
# Generate detailed report with OWASP/CWE mappings
python3 scripts/nuclei_report_generator.py \
  --input scan-results.jsonl \
  --output security-report.html \
  --format html \
  --include-remediation \
  --map-frameworks owasp,cwe

# Export to SARIF for GitHub Security tab
nuclei -u https://target-app.com \
  -severity critical,high \
  -sarif-export github-sarif.json
```

See `assets/report_templates/` for customizable report formats.

## Automation & CI/CD Integration

### GitHub Actions Integration

```yaml
# .github/workflows/nuclei-scan.yml
name: Nuclei Security Scan
on: [push, pull_request]

jobs:
  nuclei:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://staging.target-app.com
          severity: critical,high
          templates: cves,owasp,misconfig

      - name: Upload Results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: nuclei.sarif
```

### Docker-Based CI/CD Scanning

```bash
# Run in CI/CD pipeline with Docker
docker run --rm \
  -v $(pwd):/reports \
  projectdiscovery/nuclei:latest \
  -u $TARGET_URL \
  -severity critical,high \
  -json -jsonl-export /reports/nuclei-results.jsonl

# Check exit code and fail build on c