What is Nuclei?
Nuclei is an open source toolkit used to scan Website security holes or find Bugs. Some Bug Hunters are using this tool to receive bonuses from websites with weak security. A special feature that Nuclei is favored by many Hackers is that it has a large user community and the error code templates are always updated regularly, so when a vulnerability has just been released, Nuclei already has a template to scan.
Another highlight is that Nuclei is completely free and you can customize how to scan Website as well as create templates to scan Website bugs to your liking.
Nuclei can scan various protocols, including DNS, HTTP, TCP and many more. All kinds of security checks can be performed using kernel templates.
How to install Nuclei
It is recommended to turn off anti-virus programs on Windows when performing Upgrade Kali Linux to avoid blocking installation packages. To install Nuclei, execute the following commands on Kali Linux:
Enter password user
apt-get update -y
apt-get upgrade -y
Because nuclei is written in Goland language, so we need to install Goland on Kali Linux, execute the following commands:
apt install gccgo-go -y
apt install golang-go -y
Install Nuclei to scan Website security holes
git clone https://github.com/projectdiscovery/nuclei.git; \
cd nuclei/v2/cmd/nuclei; \
go build; \
mv nuclei /usr/local/bin/; \
After the installation is complete, type the command
nuclei -h to start
The case of reported nuclei outdated, is because you downloaded the old version. Let’s execute the update template command again.
Use the command:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
If successful, you will see the following interface:
How to use Nuclei to scan Website vulnerabilities
To search for Website Bugs, we execute the following command:
nuclei -u địa-chỉ-website
nuclei -u https://domain.com
In case some Websites will have a firewall (WAF) and block scanning processes, you can reduce the frequency of sending requests to the server by rate-limit. Let’s use the parameter:
nuclei -u https://domain.com -rate-limit 1 //ie send 1 second send 1 request
To bypass WAF, you can change the packet header to avoid blocking, with the parameter
nuclei -u https://domain.com -rate-limit 1 -header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64)'
In case you want to scan many Web pages, create a file named url.txt, fill in 1 Web page for each line, then use the syntax
You can see more examples when scanning Website vulnerabilities at the nuclei home page.