Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.


Nuclei

Fast and customisable vulnerability scanner based on simple YAML based DSL.

HowInstallFor Security EngineersFor DevelopersDocumentationCreditsLicenseJoin Discord


Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts. Nuclei offers scanning for a variety of protocols including TCP, DNS, HTTP, File, etc. With powerful and flexible templating, all kinds of security checks can be modelled with Nuclei.

We have a dedicated repository that houses various type of vulnerability templates contributed by more than 100 security researchers and engineers. It is preloaded with ready to use templates using -update-templates flag.

How it works

nuclei-flow

Install Nuclei

▶ GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei

More installation methods can be found here.

Download Templates

You can download and update the nuclei templates using update-templates flag of nuclei that downloads all the available nuclei-templates from Github project, a community curated list of templates that are ready to use.

▶ nuclei -update-templates

Nuclei is designed to used with custom templates according to the target and workflow, you can write your own checks for your specific workflow and needs, please refer to nuclei templating guide to write your own custom templates.

Running Nuclei

Scanning for CVEs on given list of URLs.

▶ nuclei -l target_urls.txt -t cves/

More detailed examples of running nuclei can be found here.

For Security Engineers

Nuclei offers great number of features that are helpful for security engineers to customise workflow in their organisation. With the varieties of scan capabilities (like DNS, HTTP, TCP), security engineers can easily create their suite of custom checks with Nuclei.

  • Varieties of protocols supported: TCP, DNS, HTTP, File, etc
  • Achieve complex vulnerability steps with workflows and dynamic requests.
  • Easy to integrate into CI/CD, designed to be easily integrated into regression cycle to actively check the fix and re-appearance of vulnerability.

Learn More

For bugbounty hunters:

Nuclei allows you to customise your testing approach with your own suite of checks and easily run across your bug bounty programs. Moroever, Nuclei can be easily integrated into any continuous scanning workflow.

  • Designed to be easily integrated into other tool workflow.
  • Can process thousands of hosts in few minutes.
  • Easily automate your custom testing approach with our simple YAML DSL.

Please check our other open-source projects that might fit into your bug bounty workflow: github.com/projectdiscovery, we also host daily refresh of DNS data at Chaos.

For pentesters:

Nuclei immensely improve how you approach security assessment by augmenting the manual repetitve processes. Consultancies are already converting their manual assessment steps with Nuclei, it allows them to run set of their custom assessment approach across thousands of hosts in an automated manner.

Pen-testers get the full power of our public templates and customization capabilities to speed-up their assessment process, and specifically with the regression cycle where you can easily verify the fix.

  • Easily create your compliance, standards suite (e.g. OWASP Top 10) checklist.
  • With capabilities like fuzz and workflows, complex manual steps and repetitive assessment can be easily automated with Nuclei.
  • Easy to re-test vulnerability-fix by just re-running the template.

For Developers and Organisations

Nuclei is built with simplicity in mind, with the community backed templates by hundreds of security researchers, it allows you to stay updated with latest security threats using continuous Nuclei scanning on the hosts. It is designed to be easily integrated into regression tests cycle, to verify the fixes and eliminate vulnerabilities from occuring in future.

  • CI/CD: Engineers are already utilising Nuclei within their CI/CD pipeline, it allows them to constantly monitor their staging and production environments with customised templates.
  • Continuous Regression Cycle: With Nuclei, you can create your custom template on every new identified vulnerability and put into Nuclei engine to eliminate in the continuous regression cycle.

We have a discussion thread around this, there are already some bug bounty programs giving incentives to hackers on writing nuclei templates with every submission, that helps them to eliminate the vulnerability across all their assets, as well as to eliminate future risk in reappearing on productions. If you're interested in implementing it in your organisation, feel free to reach out to us. We will be more than happy to help you in the getting started process, or you can also post into the discussion thread for any help.

regression-cycle-with-nuclei

Learn More

Resources

Credits

Thanks to all the amazing community contributors for sending PRs. Do also check out the below similar open-source projects that may fit in your workflow:

FFuF, Qsfuzz, Inception, Snallygaster, Gofingerprint, Sn1per, Google tsunami, Jaeles, ChopChop

License

Nuclei is distributed under MIT License

Join Discord Check Nuclei Documentation

Owner
ProjectDiscovery
Security Through Intelligent Automation
ProjectDiscovery
Comments
  • [issue] runtime error

    [issue] runtime error

    Describe the bug I updated my nuclei install to version 2.4.1 and now it errors out every time i try to run it. Be advised I think upgrade over brew install and i am running Darwin HQSML-1689616 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64 x86_64. This is related to #888

    Nuclei version Please share the version of the nuclei you are running with nuclei -version See above and below

    Screenshot of the error or bug please add the screenshot showing bug or issue you are facing.

                         __     _
       ____  __  _______/ /__  (_)
      / __ \/ / / / ___/ / _ \/ /
     / / / / /_/ / /__/ /  __/ /
    /_/ /_/\__,_/\___/_/\___/_/   2.4.1
    
    		projectdiscovery.io
    
    [ERR] Could not read nuclei-ignore file: open /Users/gbiago909/.config/nuclei/.nuclei-ignore: no such file or directory
    [INF] Using Nuclei Engine 2.4.1
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x49052fb]
    
    goroutine 1 [running]:
    github.com/projectdiscovery/nuclei/v2/internal/runner.(*Runner).RunEnumeration(0xc0000e6000, 0x0, 0x0)
    	github.com/projectdiscovery/nuclei/v2/internal/runner/runner.go:345 +0xd5b
    main.main()
    	command-line-arguments/main.go:30 +0x87
    
  • [issue] panic: runtime error: invalid memory address or nil pointer dereference

    [issue] panic: runtime error: invalid memory address or nil pointer dereference

    Describe the bug I was running a test to see if I could run most of the templates with a single call to a url. This is the custom workflow I ran by echoing in a single url to nuclei.

    id: unguided
    info:
      name: Workflow to run most of the templates
      author: Jeffrey Shran
    
    variables:
      cves: cves/
      default_credentials: default-credentials/
      dns: dns/
      files: files/
      generic_detections: generic-detections/
      panels: panels/
      security_misconfiguration: security-misconfiguration/
      subdomain_takeover: subdomain-takeover/
      technologies: technologies/
      tokens: tokens/
      vulnerabilities: vulnerabilities/
    
    logic:
      |
      cves()
      default_credentials()
      dns()
      files()
      generic_detections()
      panels()
      security_misconfiguration()
      subdomain_takeover()
      technologies()
      tokens()
      vulnerabilities()
    

    The command I ran is as follows:

    echo "https://example.com" | nuclei -c 200 -t ~/unguided.yaml -o example_com.nuclei.unguided

    Nuclei runs for 30-45 seconds then produces the error in the screenshot below.

    Nuclei version Current Version: 2.1.0

    Screenshot of the error or bug image

  • Nuclei stops to query additional paths when first path/URL is not reachable in case of ports

    Nuclei stops to query additional paths when first path/URL is not reachable in case of ports

    Hello,

    I am not sure if I should not post this issue on the Nuclei github directly.

    I am trying to perform a template which just match a file. The specificity here is that i add a check on another port :

     - "{{BaseURL}}/myfile.txt"
     - "{{BaseURL}}:8080/myfile.txt"
    

    (The text context is the following: The file is available on port 8080. Server don't answer on port 80, the base URL)

    Problem is that this doesn't work, Nuclei seems to stop the check as the server is not responding :

    [INF] [MyTemplate] Loaded template File Detection Template (@Ohlala) [info]
    [WRN] Could not execute step: could not make http request: GET http://###REDACTED#####/myfile.txt giving up after 2 attempts: Get "http://REDACTED/myfile.txt": dial tcp REDACTED:80: connect: connection refused
    

    However, when using a proxy there is no problem and i got the match with the 8080 port.

    Any idea ?

  • Reporting to Github issues fails if the issue-label field is not set

    Reporting to Github issues fails if the issue-label field is not set

    Describe the bug For the following reporting configuration, nuclei fails to report with error 422 Validation Failed [{Resource:Label Field:name Code:missing_field Message:}]

    allow-list:
        severity: info, low, medium, high, critical
    github: 
        username: "0xcrypto"
        owner: "bb-research"
        token: "REDACTED"
        project-name: "hackberry_xyz"
    

    Nuclei version v2.5.2

    Screenshot of the error or bug image

  • Headless Browsing Login on Websites not Working

    Headless Browsing Login on Websites not Working

    Describe the bug Headless Browsing login flow on websites not working

    Nuclei version Nuclei v 2.5.2

    Screenshot of the error or bug Has anyone tried authenticating into a modern website via Nuclei headless browsing? I've been trying to log into Trello but the login flow which should lead me here after inputting my email(tested on regular browser): Screen Shot 2021-10-07 at 2 09 53 PM

    in Nuclei headless seems to instead lead me back to this page: Screen Shot 2021-10-07 at 2 11 13 PM

  • Enumeration progressbar

    Enumeration progressbar

    This is an initial implementation for a progress tracking system that informs the user of the enumeration state by providing visual feedback via progress bars.

    This is by no means a "pull-request" in the sense "please pull this into your repo else i'm mad", but this is meant to be here for tracking and discussion purposes, please feel free to make it to pieces :)

    These changes provides the following:

    • a single progress bar when a single template is specified

      • this will track the total number of requests, for the specified template, for all the specified hosts Screenshot 2020-07-11 at 23 33 00
    • two progress bars when a template directory is specified

      • progress bar 1 will track the total number of requests, for all the specified templates, for all the specified hosts
      • progress bar 2 will track the total number of requests, for the current template, for all the specified hosts Screenshot 2020-07-11 at 23 33 16

    There were some things to consider in doing this, so i had to make some choices in order to have an initial implementation working, i'll depict the main points here.

    progress bar library

    There are quite a bit of libraries for this, but to my understanding the best one is probably https://github.com/vbauerster/mpb, supporting multiple progress bars out-of-the-box.

    enumeration support

    Only HTTP requests support has been implemented, once this is good and stable i can start working on both the DNS requests and the Workflow integration.

    stdout/stderr output

    At this time, both stdout and stderr are buffered and they are both shown at the end of the enumeration phase.

    Progress bars always write to stderr.

    I've started working on this with the idea to provide the same original behavior, showing both during the enumeration process. This quite worked, but not all the times, especially when fast stdout is written to the screen, mangled output is not what you want in most cases.

    -no-progressbar flag proposal

    At this time there is no way to switch off the progress bar, but it may be sensible to let users choose to not have visual feedback at all and process stdout as usual instead: for this i propose to add a -no-progressbar flag to actually disable the visual progress feedback.

    refactoring

    In order to know the total number of hosts and requests per template beforehand, i had to refactor the code a bit: this may not be ideal or the "projectdiscovery" way, please let me know!

  • Loading thousands of urls in list file will lock the executing threads

    Loading thousands of urls in list file will lock the executing threads

    goroutine 24336 [runnable, locked to thread]:
    syscall.Syscall(0x7ffa22051ac0, 0x1, 0x2c0d4, 0x0, 0x0)
            C:/Program Files/Go/src/runtime/syscall_windows.go:483 +0xf4
    syscall.Closesocket(0xc009a4b310)
            C:/Program Files/Go/src/syscall/zsyscall_windows.go:1343 +0x5c
    internal/poll.(*FD).destroy(0xc014ba8c80)
            C:/Program Files/Go/src/internal/poll/fd_windows.go:373 +0x9a
    internal/poll.(*FD).decref(0x2b7be2e0)
            C:/Program Files/Go/src/internal/poll/fd_mutex.go:213 +0x54
    internal/poll.(*FD).Close(0xc014ba8c80)
            C:/Program Files/Go/src/internal/poll/fd_windows.go:395 +0x69
    net.(*netFD).Close(0xc014ba8c80)
            C:/Program Files/Go/src/net/fd_posix.go:38 +0x38
    net.(*conn).Close(0xc000689980)
            C:/Program Files/Go/src/net/net.go:207 +0x45
    github.com/miekg/dns.(*Client).Exchange(0xc0006f9b30, 0xc003a39c00, {0xc010fe4d9
    0, 0x19f0172})
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:170 +
    0x131
    github.com/projectdiscovery/retryabledns.(*Client).QueryMultiple(0xc00011c280, {
    0xc0019f6dc0, 0x1a}, {0xc009a4b61c, 0x2, 0x50a697})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:248 +0x593
    github.com/projectdiscovery/retryabledns.(*Client).Resolve(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:100
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).GetDNSData(0xc000726
    140, {0xc0019f6dc0, 0x1a})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:326 +0x2d1
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).dial(0xc000726140, {
    0x1a2f8e8, 0xc003f9c540}, {0x1410156, 0x3}, {0xc0019f6dc0, 0x118}, 0x0, 0x0, 0x0
    , ...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:160 +0x17a
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).Dial(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:101
    net/http.(*Transport).dial(0xc003f9c540, {0x1a2f8e8, 0xc003f9c540}, {0x1410156,
    0xc0068d7b60}, {0xc0019f6dc0, 0xc0068d7ad0})
            C:/Program Files/Go/src/net/http/transport.go:1166 +0xda
    net/http.(*Transport).dialConn(0xc00007edc0, {0x1a2f8e8, 0xc003f9c540}, {{}, 0x0
    , {0xc002f3f140, 0x5}, {0xc0019f6dc0, 0x1e}, 0x0})
            C:/Program Files/Go/src/net/http/transport.go:1604 +0x845
    net/http.(*Transport).dialConnFor(0x1a17740, 0xc0058dcd10)
            C:/Program Files/Go/src/net/http/transport.go:1446 +0xb0
    created by net/http.(*Transport).queueForDial
            C:/Program Files/Go/src/net/http/transport.go:1415 +0x3d7
    
    goroutine 24337 [IO wait]:
    internal/poll.runtime_pollWait(0xc86bf7b8, 0x77)
            C:/Program Files/Go/src/runtime/netpoll.go:303 +0x85
    internal/poll.(*pollDesc).wait(0x43, 0xc009a57088, 0x0)
            C:/Program Files/Go/src/internal/poll/fd_poll_runtime.go:84 +0x32
    internal/poll.execIO(0xc003c89768, 0x16591f0)
            C:/Program Files/Go/src/internal/poll/fd_windows.go:175 +0xe5
    internal/poll.(*FD).Write(0xc003c89680, {0xc00aa0fc70, 0x42, 0x43})
            C:/Program Files/Go/src/internal/poll/fd_windows.go:637 +0x33b
    net.(*netFD).Write(0xc003c89680, {0xc00aa0fc70, 0x12d00a0, 0x13c12a0})
            C:/Program Files/Go/src/net/fd_posix.go:74 +0x29
    net.(*conn).Write(0xc019f61b08, {0xc00aa0fc70, 0xc09950b40001001c, 0xc009a571b8}
    )
            C:/Program Files/Go/src/net/net.go:195 +0x45
    github.com/miekg/dns.(*Conn).Write(0xc002e92d80, {0xc00aa0fc70, 0x42, 0x43})
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:379 +
    0x115
    github.com/miekg/dns.(*Conn).WriteMsg(0xc002e92d80, 0x1b1559330d)
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:368 +
    0xe5
    github.com/miekg/dns.(*Client).exchangeContext(0xc00011c380, {0x1a2f8b0, 0xc0000
    2a0e0}, 0xc009a57548, 0xc002e92d80)
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:240 +
    0x367
    github.com/miekg/dns.(*Client).exchangeWithConnContext(0x0, {0x1a2f8b0, 0xc00002
    a0e0}, 0x0, 0x0)
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:195 +
    0x1dc
    github.com/miekg/dns.(*Client).ExchangeWithConn(0xc00011c380, 0x1a2f8b0, 0xc0000
    2a0e0)
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:190 +
    0x30
    github.com/miekg/dns.(*Client).Exchange(0xc0006f9b00, 0xc003a39cb0, {0xc01888bd2
    0, 0x19f0172})
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:170 +
    0x10e
    github.com/projectdiscovery/retryabledns.(*Client).QueryMultiple(0xc00011c280, {
    0xc0019f6e60, 0x1a}, {0xc009a5761c, 0x2, 0x50a697})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:248 +0x593
    github.com/projectdiscovery/retryabledns.(*Client).Resolve(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:100
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).GetDNSData(0xc000726
    140, {0xc0019f6e60, 0x1a})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:326 +0x2d1
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).dial(0xc000726140, {
    0x1a2f8e8, 0xc003f9c780}, {0x1410156, 0x3}, {0xc0019f6e60, 0x118}, 0x0, 0x0, 0x0
    , ...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:160 +0x17a
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).Dial(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:101
    net/http.(*Transport).dial(0xc003f9c780, {0x1a2f8e8, 0xc003f9c780}, {0x1410156,
    0xc0068d7b60}, {0xc0019f6e60, 0xc0068d7ad0})
            C:/Program Files/Go/src/net/http/transport.go:1166 +0xda
    net/http.(*Transport).dialConn(0xc00007edc0, {0x1a2f8e8, 0xc003f9c780}, {{}, 0x0
    , {0xc00608c630, 0x5}, {0xc0019f6e60, 0x1e}, 0x0})
            C:/Program Files/Go/src/net/http/transport.go:1604 +0x845
    net/http.(*Transport).dialConnFor(0x1a17740, 0xc0058dcdc0)
            C:/Program Files/Go/src/net/http/transport.go:1446 +0xb0
    created by net/http.(*Transport).queueForDial
            C:/Program Files/Go/src/net/http/transport.go:1415 +0x3d7
    
    goroutine 24368 [runnable, locked to thread]:
    syscall.Syscall(0x7ffa22051ac0, 0x1, 0x2b0fc, 0x0, 0x0)
            C:/Program Files/Go/src/runtime/syscall_windows.go:483 +0xf4
    syscall.Closesocket(0xc009a79310)
            C:/Program Files/Go/src/syscall/zsyscall_windows.go:1343 +0x5c
    internal/poll.(*FD).destroy(0xc0157cc280)
            C:/Program Files/Go/src/internal/poll/fd_windows.go:373 +0x9a
    internal/poll.(*FD).decref(0x2bb25c38)
            C:/Program Files/Go/src/internal/poll/fd_mutex.go:213 +0x54
    internal/poll.(*FD).Close(0xc0157cc280)
            C:/Program Files/Go/src/internal/poll/fd_windows.go:395 +0x69
    net.(*netFD).Close(0xc0157cc280)
            C:/Program Files/Go/src/net/fd_posix.go:38 +0x38
    net.(*conn).Close(0xc000688c50)
            C:/Program Files/Go/src/net/net.go:207 +0x45
    github.com/miekg/dns.(*Client).Exchange(0xc0006f9bc0, 0xc001799070, {0xc002b049d
    0, 0x19f0172})
            C:/Users/DELL i5/go/pkg/mod/github.com/miekg/[email protected]/client.go:170 +
    0x131
    github.com/projectdiscovery/retryabledns.(*Client).QueryMultiple(0xc00011c280, {
    0xc003822d20, 0x14}, {0xc009a7961c, 0x2, 0x50a697})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:248 +0x593
    github.com/projectdiscovery/retryabledns.(*Client).Resolve(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    0.13/client.go:100
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).GetDNSData(0xc000726
    140, {0xc003822d20, 0x14})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:326 +0x2d1
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).dial(0xc000726140, {
    0x1a2f8e8, 0xc003f09ce0}, {0x1410156, 0x3}, {0xc003822d20, 0x118}, 0x0, 0x0, 0x0
    , ...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:160 +0x17a
    github.com/projectdiscovery/fastdialer/fastdialer.(*Dialer).Dial(...)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/[email protected]
    15-0.20220127193345-f06b0fd54d47/fastdialer/dialer.go:101
    net/http.(*Transport).dial(0xc003f09ce0, {0x1a2f8e8, 0xc003f09ce0}, {0x1410156,
    0xc0068d1b60}, {0xc003822d20, 0xc0068d1ad0})
            C:/Program Files/Go/src/net/http/transport.go:1166 +0xda
    net/http.(*Transport).dialConn(0xc00007edc0, {0x1a2f8e8, 0xc003f09ce0}, {{}, 0x0
    , {0xc00551b6b0, 0x5}, {0xc003822d20, 0x18}, 0x0})
            C:/Program Files/Go/src/net/http/transport.go:1604 +0x845
    net/http.(*Transport).dialConnFor(0x1a17740, 0xc005a191e0)
            C:/Program Files/Go/src/net/http/transport.go:1446 +0xb0
    created by net/http.(*Transport).queueForDial
            C:/Program Files/Go/src/net/http/transport.go:1415 +0x3d7
    
    goroutine 24353 [runnable, locked to thread]:
    syscall.Syscall(0x7ffa22051ac0, 0x1, 0x2b2f4, 0x0, 0x0)
            C:/Program Files/Go/src/runtime/syscall_windows.go:483 +0xf4
    syscall.Closesocket(0xc009a6b310)
            C:/Program Files/Go/src/syscall/zsyscall_windows.go
    unc2.1(0x6e34ca, 0x0, {0xc0117563f0, 0xc018e7c210})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/core/execute.go:142 +0x12b
    created by github.com/projectdiscovery/nuclei/v2/pkg/core.(*Engine).executeModel
    WithInput.func2
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/core/execute.go:129 +0x6d0
    
    goroutine 81952 [select, 1 minutes]:
    net/http.(*Transport).getConn(0xc00007edc0, 0xc0033bb640, {{}, 0x0, {0xc00270430
    0, 0x5}, {0xc01a21e340, 0x20}, 0x0})
            C:/Program Files/Go/src/net/http/transport.go:1372 +0x5d2
    net/http.(*Transport).roundTrip(0xc00007edc0, 0xc01877c900)
            C:/Program Files/Go/src/net/http/transport.go:581 +0x774
    net/http.(*Transport).RoundTrip(0xc01877c900, 0x1a17120)
            C:/Program Files/Go/src/net/http/roundtrip.go:18 +0x19
    net/http.send(0xc006065100, {0x1a17120, 0xc00007edc0}, {0x13cf400, 0x4d7801, 0x2
    48bfc0})
            C:/Program Files/Go/src/net/http/client.go:252 +0x5d8
    net/http.(*Client).send(0xc0004aab40, 0xc006065100, {0xc0106eafe8, 0x70a8bb, 0x2
    48bfc0})
            C:/Program Files/Go/src/net/http/client.go:176 +0x9b
    net/http.(*Client).do(0xc0004aab40, 0xc006065100)
            C:/Program Files/Go/src/net/http/client.go:725 +0x908
    net/http.(*Client).Do(...)
            C:/Program Files/Go/src/net/http/client.go:593
    github.com/projectdiscovery/retryablehttp-go.(*Client).Do(0xc0003443f0, 0xc01a1c
    fa10)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/retryablehttp-go
    @v1.0.3-0.20220506110515-811d938bd26d/do.go:64 +0x34e
    github.com/projectdiscovery/nuclei/v2/pkg/protocols/http.(*Request).executeReque
    st(0xc003912480, {0xc0066ef6e0, 0x25}, 0xc0190508c0, 0x0, 0x0, 0xc0106ebc70, 0x4
    0da54)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/protocols/http/request.go:426 +0xec9
    github.com/projectdiscovery/nuclei/v2/pkg/protocols/http.(*Request).ExecuteWithR
    esults.func1({0xc002fa3e60, 0x60}, 0x16570f0, 0x486f9e7b7)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/protocols/http/request.go:271 +0x3cf
    github.com/projectdiscovery/nuclei/v2/pkg/protocols/http.(*Request).ExecuteWithR
    esults(0xc003912480, {0xc0066ef6e0, 0x25}, 0xc01a1cf680, 0xc01a1cf6b0, 0xc01a1cf
    6e0)
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/protocols/http/request.go:324 +0x289
    github.com/projectdiscovery/nuclei/v2/pkg/protocols/common/executer.(*Executer).
    Execute(0xc001b2d380, {0xc0066ef6e0, 0x25})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/protocols/common/executer/executer.go:68 +0x1ae
    github.com/projectdiscovery/nuclei/v2/pkg/core.(*Engine).executeModelWithInput.f
    unc2.1(0x6e34ca, 0x0, {0xc0066ef6e0, 0xc01651f080})
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/core/execute.go:142 +0x12b
    created by github.com/projectdiscovery/nuclei/v2/pkg/core.(*Engine).executeModel
    WithInput.func2
            C:/Users/DELL i5/go/pkg/mod/github.com/projectdiscovery/nuclei/[email protected]
    /pkg/core/execute.go:129 +0x6d0
    
    goroutine 83157 [select]:
    net/http.(*Transport).getConn(0xc00007edc0, 0xc001d56980, {{}, 0x0, {0xc00c572a8
    0, 0x5
    
  • [issue] Scan never finishes

    [issue] Scan never finishes

    Describe the bug After running the scanner for a while it stalls with only 4 remaining hosts, for more than one hour.

    Nuclei version v2.3.2

    Screenshot of the error or bug Screenshot from 2021-03-27 15-51-47

  • Output file being deleted when Nuclei finishes

    Output file being deleted when Nuclei finishes

    Describe the bug I am specifying an output file for Nuclei, and can see it being created. When Nuclei finishes the output file is being deleted.

    Nuclei version 2.1.0

    Screenshot of the error or bug please add the screenshot showing bug or issue you are facing.

    As you can see in the following the /tmp/nuclei.txt file in the bottom panel is created, populated with data, then deleted when Nuclei finishes. I first thought this was related to a particular template however the issue appears transient.

    ezgif-3-f91e896de89d

  • Update installation instructions

    Update installation instructions

    In https://github.com/projectdiscovery/nuclei/commit/60005290b1f5f024f9e3e6688297fc03097d3ba1 v2 was removed from the path. This PR fixes the install instructions

  • Initial adoption of golangci-lint for continuous integration

    Initial adoption of golangci-lint for continuous integration

    golangci-lint-action It's the official GitHub action for golangci-lint from it's authors. The action runs golangci-lint and reports issues from linters.

    golangci-lint is a fast Go linters runner. It runs linters in parallel, uses caching, supports yaml config, has integrations with all major IDE and has dozens of linters included.

    Including this action into the workflow would increment the project code quality and could prevent possible future leaks and/or failures setting a minimum of checks and rules, I think it could be very favorable.

    A list of available linters on the official documentation

    There are several linters that I have disabled because for now it is a lot of work to correct the errors, for example

    • funlen: Detection of long functions.
    • gocyclo: Calculates cyclomatic complexities.
    • gosec: Inspects source code for security problems.
    • lll: Line length linter, used to enforce line length in files.

    and I have added some directives to skip the checks with (nolint) because they need a small refactor but I think it's fine for now, we can improve it in the future.

    Enabled linters:

    • bodyclose
    • deadcode
    • dogsled
    • dupl
    • errcheck
    • exhaustive
    • gochecknoinits
    • goconst
    • gocritic
    • gofmt
    • goimports
    • golint
    • gomnd
    • goprintffuncname
    • gosimple
    • govet
    • ineffassign
    • interfacer
    • maligned
    • misspell
    • nakedret
    • noctx
    • nolintlint
    • rowserrcheck
    • scopelint
    • staticcheck
    • structcheck
    • stylecheck
    • typecheck
    • unconvert
    • unparam
    • unused
    • varcheck
    • whitespace

    Fixes memory leak processing custom workflows with multiple URL from stdin reported on #242

    I hope this will be helpful.

  • Scan Results Are Inconsistent

    Scan Results Are Inconsistent

    Nuclei version:

    2.7.5

    Current Behavior:

    I'm initiating a scan to a known vulnerable URL with the same custom template. Sometimes it's finding, and sometimes it's not.

    Expected Behavior:

    It should be showing the same results.

    Steps To Reproduce:

    1. nuclei -u http://php.testsparker.com -t nuclei-templates/exposures/configs/phpinfo.yaml
    2. It won't be showing any findings:
    1
    1. nuclei -u http://php.testsparker.com -t nuclei-templates/exposures/configs/phpinfo.yaml
    2. It's showing a finding:
    2

    Anything else:

    I think that's not related to the default nuclei-templates phpinfo exposure script. It's like some packet sending/receiving issue.

    Additionally, this vulnerable URL has a phpinfo: http://php.testsparker.com/phpinfo.php and the phpinfo.yaml script has that directory as a path.

    script

    3
  • chore(deps): bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 in /v2

    chore(deps): bump github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0 in /v2

    Bumps github.com/xanzy/go-gitlab from 0.71.0 to 0.72.0.

    Commits
    • d8372d3 Merge pull request #1523 from timofurrer/feature/remove-members-options
    • 2129179 Implement missing options for RemoveGroupMembers API
    • bcb4540 Merge pull request #1522 from cyd01/master
    • dbc0011 Add DeletePackageFile in PackagesService
    • 1ced135 Merge pull request #1518 from go-faster/feat/jobs/pipeline.project_id
    • 8cc3651 feat(jobs): add pipeline.project_id
    • f9cd878 Merge pull request #1521 from xanzy/chore/ioutil
    • 3d91c69 Remove use of deprecated io/ioutil package
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/aws/aws-sdk-go from 1.44.71 to 1.44.73 in /v2

    chore(deps): bump github.com/aws/aws-sdk-go from 1.44.71 to 1.44.73 in /v2

    Bumps github.com/aws/aws-sdk-go from 1.44.71 to 1.44.73.

    Release notes

    Sourced from github.com/aws/aws-sdk-go's releases.

    Release v1.44.73 (2022-08-10)

    Service Client Updates

    • service/dlm: Updates service API and documentation
    • service/ec2: Updates service API and documentation
      • This release adds support for excluding specific data (non-root) volumes from multi-volume snapshot sets created from instances.

    Release v1.44.72 (2022-08-09)

    Service Client Updates

    • service/location: Updates service API and documentation
    • service/monitoring: Updates service API and documentation
      • Various quota increases related to dimensions and custom metrics
    • service/sagemaker: Updates service API and documentation
      • Amazon SageMaker Automatic Model Tuning now supports specifying multiple alternate EC2 instance types to make tuning jobs more robust when the preferred instance type is not available due to insufficient capacity.
    • service/sagemaker-a2i-runtime: Updates service API
    Changelog

    Sourced from github.com/aws/aws-sdk-go's changelog.

    Release v1.44.73 (2022-08-10)

    Service Client Updates

    • service/dlm: Updates service API and documentation
    • service/ec2: Updates service API and documentation
      • This release adds support for excluding specific data (non-root) volumes from multi-volume snapshot sets created from instances.

    Release v1.44.72 (2022-08-09)

    Service Client Updates

    • service/location: Updates service API and documentation
    • service/monitoring: Updates service API and documentation
      • Various quota increases related to dimensions and custom metrics
    • service/sagemaker: Updates service API and documentation
      • Amazon SageMaker Automatic Model Tuning now supports specifying multiple alternate EC2 instance types to make tuning jobs more robust when the preferred instance type is not available due to insufficient capacity.
    • service/sagemaker-a2i-runtime: Updates service API
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Conditional request execution support in template

    Conditional request execution support in template

    Please describe your feature request:

    Currently, conditional request / template execution is possible with workflows (sub-templates) which is useful for complex chains but not practical for quick and basic check in same template as such similar support needs to be extended in the template as well.

    Describe the use case of this feature:

    Writing a multi step template that needs to executed if previous request/matcher returns true to avoid sending unwanted additional requests in failed condition.

    Here is an example template with conditional request execution using if annotation to confirm request execution only when previous match returns true.

    id: basic-raw-example
    
    info:
      name: Test RAW Template
      author: pdteam
      severity: info
    
    requests:
      - raw:
          - |
            GET /req1 HTTP/1.1
            Host: {{Hostname}}
            Origin: {{BaseURL}}
            Connection: close
    
        matchers:
          - type: status
            status:
              - 200
    
      - raw:
          - |
            if: matcher_status_1 == true
            GET /req2 HTTP/1.1
            Host: {{Hostname}}
            Origin: {{BaseURL}}
    
          - |
            GET /req3 HTTP/1.1
            Host: {{Hostname}}
            Origin: {{BaseURL}}
    
          - |
            GET /req4 HTTP/1.1
            Host: {{Hostname}}
            Origin: {{BaseURL}}
    
        matchers-condition: and
        matchers:
          - type: status
            status:
              - 200
    
          - type: word
            words:
              - "Test1"
    

    Reference:

    • https://github.com/projectdiscovery/nuclei/issues/2100
    • https://github.com/projectdiscovery/nuclei/discussions/2016
    • https://github.com/projectdiscovery/nuclei/issues/1879
    • https://github.com/projectdiscovery/nuclei/issues/7
  • Unresolved variables detection improvements

    Unresolved variables detection improvements

    Current Behavior:

    template/request with unresolved variables are being executed.

    Expected Behavior:

    template/request with unresolved variables get ignored for execution.

    Steps To Reproduce:

    nuclei -id api-lob -debug
    nuclei -t token-spray -v
    
  • set content_length as len(body) if response ContentLength is -1

    set content_length as len(body) if response ContentLength is -1

    Proposed changes

    Checklist

    • [x] Pull request is created against the dev branch
    • [ ] All checks passed (lint, unit/integration/regression tests etc.) with my changes
    • [ ] I have added tests that prove my fix is effective or that my feature works
    • [ ] I have added necessary documentation (if appropriate)
The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!
The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!

Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on

Aug 6, 2022
Pointer was developed for massive hunting and mapping Cobalt Strike servers exposed on the internet.
Pointer was developed for massive hunting and mapping Cobalt Strike servers exposed on the internet.

Description The Pointer was developed for hunting and mapping Cobalt Strike servers exposed to the Internet. The tool includes the complete methodolog

Jul 24, 2022
Feb 2, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

Aug 11, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Jul 25, 2022
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing

[ARP Spoofing] [Usage] Commands: clear clear the screen cut 通过ARP欺骗切断局域网内某台主机的网络 exit exit the program help display help hosts 主机管理功能 loot 查看嗅探到的敏感信息

Jul 22, 2022
A fast tool to scan CRLF vulnerability written in Go
A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

Jul 30, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

Aug 9, 2022
Portmantool - Port scanning and monitoring tool

portmantool Port scanning and monitoring tool Components runner while true do r

Feb 14, 2022
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

PewSWITCH A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. Related blog: https://0xinfection.github.io/p

Jun 23, 2022
Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

CVE-2021-29156 Proof-of-Concept (c) 2021 GuidePoint Security Charlton Trezevant [email protected] Background Today GuidePoint

Apr 13, 2022
A tool for checking log4shell vulnerability mitigations

log4shell-ldap A tool for checking log4shell vulnerability mitigations. Usage: Build a container image: docker build . -t log4shell Run it: docker run

Jul 15, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Aug 8, 2022
log4jshell vulnerability checker tool

Description log4j-checker tool helps identify whether a certain system is running a vulnerable version of the log4j library. Download and run the tool

Dec 20, 2021
Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

Jul 17, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Aug 9, 2022