Nuclei: open-source DAST using YAML templates
November 17, 2025·186 views

🛠 Nuclei: open-source DAST using YAML templates

Salute,

Let's take a look today at dynamic testing DAST, which uses the YAML templating engine. I want to share with you a handy tool that is commonly used in addition to Burp Suite.

Description

Supports web applications, APIs, network services and cloud infrastructures. Here you can see the official repository and details on the flags used here. Supports parallel processing for bulk scanning. Works in conjunction with subfinder, httpx, naabu. Does not have its own policy settings. Quality Gate policies are managed at the pipeline level when it is invoked. MIT License.

The tool has features, let's note some of them:

- Templates with code/javascript protocols require a digital signature and an explicit -code flag to run

- Should use -disable-unsigned-templates mode, which allows execution of only signed templates and run only in a sandboxed environment

- Running unverified templates from third parties is dangerous due to the risk of introducing malicious code.

- Before launching, analyze id, info, payloads and fuzzing for suspicious operations

- Use the rate limit flags -rl and the number of parallel requests -c

Application

nuclei -u https://example.ru # Single target scanning

nuclei -l targets.txt # Scan the list of targets

nuclei -u https://example.ru -t cves/2021/CVE-2021-12345.yaml # Running a specific template

nuclei -u https://example.ru -tags jira -s critical,high # Filtering by tags and severity

nuclei -u https://example.ru -as # Automatic detection of technologies

subfinder -d example.ru | httpx | nuclei # Integration with exploration tools

nuclei -l openapi.json -im openapi # OpenAPI scanning

nuclei -t template_with_code.yaml -code -c 50 -rl 100 # Safely run templates with code

docker run projectdiscovery/nuclei:latest -u https://example.ru # Run scanning from docker

GitLab CI

security_scan:

stage: test

image: golang:latest

before_script:

- go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

script:

- nuclei -u $URL -t /templates -json -o nuclei-report.json

artifacts:

paths:

-nuclei-report.json

Jenkins

stages {

stage('Security Scan') {

steps {

sh '''

# Installation Nuclei

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Start scan

$HOME/go/bin/nuclei -u $URL -t $NUCLEI_TEMPLATES -json -o nuclei-report.json

'''

}

}

}

post {

always {

archiveArtifacts artifacts: 'nuclei-report.json', fingerprint: true

}

}

}

Overall: the tool is useful to use, but requires additional preparation, which will allow you to stumble upon problem areas where you will see your potential for growth. Note that:

- The environment should be used with the URL being tested = 'https://example.com' and the NUCLEI_TEMPLATES used = '/templates'

- Has a huge database of current templates and a low level of false positives

- Supports multiple protocols (HTTP, TCP, DNS, SSL)

- Has risks of executing malicious patterns due to lack of experience

- Has a subsequent potential DoS effect on production systems

- Expertise required to write your own templates

- In addition to the web, it also tests APIs, cloud infrastructure (AWS S3, Azure, etc.), network devices, including third-party providers

#toolchain #dast

#toolchain#dast
Open in Telegram