nuclei
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Details
Category: Scanners
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/nuclei:v3.3.1
Source URL: https://github.com/projectdiscovery/nuclei
Parameters
sni
string
Command:
-sni
- tls sni hostname to use (default: input domain name)var
string
Command:
-var
- custom vars in key=value formatcode
boolean
Command:
-code
- enable loading code protocol-based templatesdast
boolean
Command:
-dast
- only run DAST templateslist
file
requiredCommand:
-list
- List of target URLs/hosts to scantags
string
Command:
-tags
- templates to run based on tags (comma-separated)type
string
Command:
-type
- templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascriptztls
boolean
Command:
-ztls
- use ztls library with autofallback to standard one for tls13debug
boolean
Command:
-debug
- show all requests and responsesjsonl
boolean
Command:
-jsonl
- write output in JSONL(ines) formatproxy
string
Command:
-proxy
- list of http/socks5 proxy to use (comma separated)reset
boolean
Command:
-reset
- reset removes all nuclei configuration and data files (including nuclei-templates)stats
boolean
Command:
-stats
- Display stats of the running scan.author
string
Command:
-author
- templates to run based on authors (comma-separated)config
file
Command:
-config
- path to the nuclei configuration fileheader
string
Command:
-header
- custom header/cookie to include in all http requests in header:value formatno-mhe
boolean
Command:
-no-mhe
- disable skipping host from scan based on errorsredact
string
Command:
-redact
- redact given list of keys from query parameter, request header and bodyresume
file
Command:
-resume
- Resume scan using resume.cfg (clustering will be disabled)silent
string
Command:
-silent
- display findings onlystream
boolean
Command:
-stream
- stream mode - start elaborating without sorting the inputtarget
string
requiredCommand:
-target
- target URLs/hosts to scanno-meta
boolean
Command:
-no-meta
- disable printing result metadata in cli outputpassive
boolean
Command:
-passive
- enable passive HTTP response processing modeprofile
string
Command:
-profile
- template profile config file to runproject
boolean
Command:
-project
- Use a project folder to avoid sending same request multiple times.retries
string
Command:
-retries
- number of times to retry a failed request (default 1)timeout
string
Command:
-timeout
- time to wait in seconds before timeout (default 10)uncover
boolean
Command:
-uncover
- enable uncover engineverbose
boolean
Command:
-verbose
- show verbose outputenv-vars
boolean
Command:
-env-vars
- enable environment variables to be used in templateheadless
string
Command:
-headless
- enable templates that require headless browser support (root user on linux will disable sandbox)no-color
boolean
Command:
-no-color
- disable output content coloring (ANSI escape codes)no-httpx
boolean
Command:
-no-httpx
- disable httpx probing for non-url inputno-stdin
boolean
Command:
-no-stdin
- disable stdin processingomit-raw
boolean
Command:
-omit-raw
- omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)severity
string
Command:
-severity
- templates to run based on severity. Possible values: info, low, medium, high, critical, unknowntemplate
file
requiredCommand:
-templates
- template file to runvalidate
boolean
Command:
-validate
- validate the passed templates to nucleibulk-size
string
Command:
-bulk-size
- maximum number of hosts to be analyzed in parallel per template (default 25)client-ca
file
Command:
-client-ca
- client certificate authority file (PEM-encoded) used for authenticating against scanned hostsdebug-req
boolean
Command:
-debug-req
- show all sent requestsinterface
string
Command:
-interface
- network interface to use for network scanlist-tags
boolean
Command:
-tgl
- list all available tagsresolvers
file
Command:
-resolvers
- file containing resolver list for nucleisource-ip
string
Command:
-source-ip
- source ip address to use for network scantags-list
file
Command:
-tags
- templates to run based on tagstemplates
folder
requiredCommand:
-templates
- folder of templates to runtimestamp
boolean
Command:
-timestamp
- enables printing timestamp in cli outputvars-list
file
Command:
-var
- custom vars in key=value formatworkflows
string
Command:
-workflows
- list of workflow or workflow directory to run (comma-separated)client-key
file
Command:
-client-key
- client key file (PEM-encoded) used for authenticating against scanned hostsdebug-resp
boolean
Command:
-debug-resp
- show all received responsesexclude-id
string
Command:
-exclude-id
- templates to exclude based on template ids (comma-separated)ip-version
string
Command:
-ip-version
- IP version to scan of hostname (4,6) - (default 4)proxy-list
file
Command:
-proxy
- list of http/socks5 proxy to userate-limit
string
Command:
-rate-limit
- maximum number of requests to send per second (default 150)stats-json
boolean
Command:
-stats-json
- Write statistics data to stdout in JSONL(ines) formatattack-type
string
Command:
-attack-type
- type of payload combinations to perform (batteringram,pitchfork,clusterbomb)author-list
file
Command:
-author
- templates to run based on authorsclient-cert
file
Command:
-client-cert
- client certificate file (PEM-encoded) used for authenticating against scanned hostsconcurrency
string
Command:
-concurrency
- maximum number of templates to be executed in parallel (default 25)force-http2
boolean
Command:
-force-http2
- force http2 connection on requestssecret-file
file
Command:
-secret-file
- path to config file containing secrets for nuclei authenticated scantemplate-id
string
Command:
-template-id
- templates to run based on template ids (comma-separated)enable-pprof
boolean
Command:
-enable-pprof
- enable pprof debugging serverexclude-tags
string
Command:
-exclude-tags
- templates to exclude based on tags (comma-separated)exclude-type
string
Command:
-exclude-type
- templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascriptfuzzing-mode
string
Command:
-fuzzing-mode
- overrides fuzzing mode set in template (multiple, single)fuzzing-type
string
Command:
-fuzzing-type
- overrides fuzzing type set in template (replace, prefix, postfix, infix)hang-monitor
boolean
Command:
-hang-monitor
- enable nuclei hang monitoringheaders-list
file
Command:
-header
- custom list of headers/cookies to include in all http requests in header:valuehealth-check
boolean
Command:
-health-check
- run diagnostic check upinclude-tags
string
Command:
-include-tags
- tags to be executed even if they are excluded either by default or configurationmetrics-port
string
Command:
-metrics-port
- port to expose nuclei metrics on (default 9092)page-timeout
string
Command:
-page-timeout
- seconds to wait for each page in headless mode (default 20)profile-list
boolean
Command:
-profile-list
- list community template profilesproject-path
folder
Command:
-project-path
- Use a user defined project folder. Temporary folder is used if not specified but enabled.scan-all-ips
boolean
Command:
-scan-all-ips
- scan all the IP's associated with dns recordtemplate-url
string
Command:
-template-url
- template urls to run (comma-separated)workflow-url
string
Command:
-workflow-url
- workflow urls to run (comma-separated)exclude-hosts
file
Command:
-exclude-hosts
- hosts to exclude to scan from the input list (ip, cidr, hostname)max-redirects
string
Command:
-max-redirects
- max number of redirects to follow for http templates (default 10)new-templates
boolean
Command:
-new-templates
- run only new templates added in latest nuclei-templates releaseno-interactsh
boolean
Command:
-no-interactsh
- disable interactsh server for OAST testing, exclude OAST based templatesomit-template
boolean
Command:
-omit-template
- omit encoded template in the JSON, JSONL outputreport-config
file
Command:
-report-config
- nuclei reporting module configuration filescan-strategy
string
Command:
-scan-strategy
- strategy to use while scanning(auto/host-spray/template-spray) (default auto)show-var-dump
boolean
Command:
-show-var-dump
- show variables dump for debuggingsystem-chrome
boolean
Command:
-system-chrome
- use local installed Chrome browser instead of nuclei installedtarget-folder
folder
Command:
-target
- folder containing files to execute file templates ontemplate-urls
file
Command:
-template-url
- list of template urls to rununcover-delay
string
Command:
-uncover-delay
- delay between uncover query requests in seconds (0 to disable) (default 1)uncover-field
string
Command:
-uncover-field
- uncover fields to return (ip,port,host) (default ip:port)uncover-limit
string
Command:
-uncover-limit
- uncover results to return (default 100)uncover-query
string
Command:
-uncover-query
- uncover search queryworkflow-urls
file
Command:
-workflow-url
- list of workflow urls to runautomatic-scan
boolean
Command:
-automatic-scan
- automatic web scan using wappalyzer technology detection to tags mappingjs-concurrency
string
Command:
-js-concurrency
- maximum number of javascript runtimes to be executed in parallel (default 120)list-templates
boolean
Command:
-tl
- list all available templatesmatcher-status
boolean
Command:
-matcher-status
- display match failure statusmax-host-error
string
Command:
-max-host-error
- max errors for a host before skipping from scan (default 30)proxy-internal
boolean
Command:
-proxy-internal
- proxy all internal requestsstats-interval
string
Command:
-stats-interval
- number of seconds to wait between showing a statistics update (default 5)templates-list
file
Command:
-templates
- list of template to rununcover-engine
string
Command:
-uncover-engine
- uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan)workflows-list
file
Command:
-workflows
- list of workflow or workflow directory to runexclude-id-list
file
Command:
-exclude-id
- templates to exclude based on template idsshow-match-line
boolean
Command:
-show-match-line
- show match lines for file templates, works with extractors onlytls-impersonate
boolean
Command:
-tls-impersonate
- enable experimental client hello (ja3) tls randomizationexclude-matchers
string
Command:
-exclude-matchers
- template matchers to exclude in resultexclude-severity
string
Command:
-exclude-severity
- templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknownfollow-redirects
boolean
Command:
-follow-redirects
- enable following redirects for http templatesheadless-options
string
Command:
-headless-options
- start headless chrome with additional optionsinteractsh-token
string
Command:
-interactsh-token
- authentication token for self-hosted interactsh serverno-strict-syntax
boolean
Command:
-no-strict-syntax
- Disable strict syntax check on templatesprefetch-secrets
boolean
Command:
-prefetch-secrets
- prefetch secrets from the secrets filesystem-resolvers
boolean
Command:
-system-resolvers
- use system DNS resolving as error fallbacktemplate-id-list
file
Command:
-template-id
- templates to run based on template idstrack-error-file
file
Command:
-track-error
- adds given error to max-host-error watchlistdialer-keep-alive
string
Command:
-dialer-keep-alive
- keep-alive duration for network requests.disable-redirects
boolean
Command:
-disable-redirects
- disable redirects for http templatesdisplay-templates
boolean
Command:
-vv
- display templates loaded for scanexclude-tags-list
file
Command:
-exclude-tags
- templates to exclude based on tagsexclude-templates
string
Command:
-exclude-templates
- template or template directory to exclude (comma-separated)include-tags-list
file
Command:
-include-tags
- tags to be executed even if they are excluded either by default or configurationinclude-templates
string
Command:
-include-templates
- templates to be executed even if they are excluded either by default or configurationinteractsh-server
string
Command:
-interactsh-server
- interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)list-dsl-function
boolean
Command:
-list-dsl-function
- list all supported DSL function signaturesrate-limit-minute
string
Command:
-rate-limit-minute
- maximum number of requests to send per minutetemplates-version
boolean
Command:
-templates-version
- shows the version of the installed nuclei-templatesuncover-ratelimit
string
Command:
-uncover-ratelimit
- override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)disable-clustering
boolean
Command:
-disable-clustering
- disable clustering of requestsheadless-bulk-size
string
Command:
-headless-bulk-size
- maximum number of headless hosts to be analyzed in parallel per template (default 10)input-read-timeout
string
Command:
-input-read-timeout
- timeout on input read (default 3m0s)response-size-read
string
Command:
-response-size-read
- max response size to read in bytes (default 10485760)response-size-save
string
Command:
-response-size-save
- max response size to read in bytes (default 1048576)template-condition
string
Command:
-template-condition
- templates to run based on expression conditiontemplate-directory
string
Command:
-templates
- template directory to runleave-default-ports
boolean
Command:
-leave-default-ports
- leave default HTTP/HTTPS ports (eg. host:80,host:443payload-concurrency
string
Command:
-payload-concurrency
- max payload concurrency for each template (default 25)stop-at-first-match
boolean
Command:
-stop-at-first-match
- stop processing HTTP requests after the first match (may break template/workflow logic)disable-update-check
boolean
Command:
-disable-update-check
- disable automatic nuclei/templates update checkheadless-concurrency
string
Command:
-headless-concurrency
- maximum number of headless templates to be executed in parallel (default 10)list-headless-action
boolean
Command:
-list-headless-action
- list available headless actionsexclude-matchers-list
file
Command:
-exclude-matchers
- template matchers to exclude in resultfollow-host-redirects
boolean
Command:
-follow-host-redirects
- follow redirects on the same hostinteractions-eviction
string
Command:
-interactions-eviction
- number of seconds to wait before evicting requests from cache (default 60)new-templates-version
string
Command:
-new-templates-version
- run new templates added in specific versionexclude-templates-list
file
Command:
-exclude-templates
- template or template directory to excludeinclude-templates-list
file
Command:
-include-templates
- templates to be executed even if they are excluded either by default or configurationallow-local-file-access
boolean
Command:
-allow-local-file-access
- allows file (payload) access anywhere on the systeminteractions-cache-size
string
Command:
-interactions-cache-size
- number of requests to keep in the interactions cache (default 5000)interactions-poll-duration
string
Command:
-interactions-poll-duration
- number of seconds to wait before each interaction poll request (default 5)interactions-cooldown-period
string
Command:
-interactions-cooldown-period
- extra time for interaction polling before exiting (default 5)restrict-local-network-access
boolean
Command:
-restrict-local-network-access
- blocks connections to the local / private network