| 1 | + | # nuclei config file |
| 2 | + | # generated by https://github.com/projectdiscovery/goflags |
| 3 | + | |
| 4 | + | # target urls/hosts to scan |
| 5 | + | #target: [] |
| 6 | + | |
| 7 | + | # path to file containing a list of target urls/hosts to scan (one per line) |
| 8 | + | #list: |
| 9 | + | |
| 10 | + | # resume scan using resume.cfg (clustering will be disabled) |
| 11 | + | #resume: false |
| 12 | + | |
| 13 | + | # template or template directory paths to include in the scan |
| 14 | + | #templates: [] |
| 15 | + | |
| 16 | + | # url containing list of templates to run |
| 17 | + | #template-url: [] |
| 18 | + | |
| 19 | + | # run only new templates added in latest nuclei-templates release |
| 20 | + | #new-templates: false |
| 21 | + | |
| 22 | + | # workflow or workflow directory paths to include in the scan |
| 23 | + | #workflows: [] |
| 24 | + | |
| 25 | + | # url containing list of workflows to run |
| 26 | + | #workflow-url: [] |
| 27 | + | |
| 28 | + | # validate the passed templates to nuclei |
| 29 | + | #validate: false |
| 30 | + | |
| 31 | + | # list all available templates |
| 32 | + | #tl: false |
| 33 | + | |
| 34 | + | # allowed domain list to load remote templates from |
| 35 | + | #remote-template-domain: ["api.nuclei.sh"] |
| 36 | + | |
| 37 | + | # execute a subset of templates that contain the provided tags |
| 38 | + | #tags: [] |
| 39 | + | |
| 40 | + | # tags from the default deny list that permit executing more intrusive templates |
| 41 | + | #include-tags: [] |
| 42 | + | |
| 43 | + | # exclude templates with the provided tags |
| 44 | + | exclude-tags: ['dos', 'dns', 'ssl', 'tech', 'token-spray', 'iot', 'token', 'network', 'android', 'metadata', 'wordpress', 'wp-plugin', 'misc'] |
| 45 | + | |
| 46 | + | # templates to be executed even if they are excluded either by default or configuration |
| 47 | + | #include-templates: [] |
| 48 | + | |
| 49 | + | # template or template directory paths to exclude |
| 50 | + | exclude-templates: [ |
| 51 | + | misconfiguration/http-missing-security-headers.yaml, |
| 52 | + | misconfiguration/xss-deprecated-header.yaml, |
| 53 | + | misconfiguration/iis-internal-ip-disclosure.yaml, |
| 54 | + | misconfiguration/aspx-debug-mode.yaml, |
| 55 | + | misconfiguration/front-page-misconfig.yaml, |
| 56 | + | misconfiguration/unauthenticated-varnish-cache-purge.yaml, |
| 57 | + | miscellaneous/robots-txt-endpoint.yaml, |
| 58 | + | exposures/configs/keycloak-openid-config.yaml, |
| 59 | + | exposures/files/readme-md.yaml, |
| 60 | + | exposures/configs/azure-domain-tenant.yaml, |
| 61 | + | exposures/apis/drupal-jsonapi-user-listing.yaml, |
| 62 | + | exposed-panels/drupal-login.yaml, |
| 63 | + | vulnerabilities/generic/cors-misconfig.yaml, |
| 64 | + | vulnerabilities/generic/request-based-interaction.yaml, |
| 65 | + | vulnerabilities/generic/oob-header-based-interaction.yaml, |
| 66 | + | vulnerabilities/other/openvpn-hhi.yaml, |
| 67 | + | cves/2000/CVE-2000-0114.yaml, |
| 68 | + | exposed-panels/key-cloak-admin-panel.yaml |
| 69 | + | ] |
| 70 | + | |
| 71 | + | # templates to run based on severity. possible values: info, low, medium, high, critical |
| 72 | + | #severity: info,low,medium,high,critical |
| 73 | + | |
| 74 | + | # templates to exclude based on severity. possible values: info, low, medium, high, critical |
| 75 | + | #exclude-severity: |
| 76 | + | |
| 77 | + | # protocol types to be executed. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois |
| 78 | + | #type: |
| 79 | + | |
| 80 | + | # protocol types to not be executed. possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois |
| 81 | + | #exclude-type: |
| 82 | + | |
| 83 | + | # execute templates that are (co-)created by the specified authors |
| 84 | + | #author: [] |
| 85 | + | |
| 86 | + | # list of template ids to run (comma-separated, file) |
| 87 | + | #template-id: [] |
| 88 | + | |
| 89 | + | # list of template ids to exclude (comma-separated, file) |
| 90 | + | #exclude-id: [] |
| 91 | + | |
| 92 | + | # output file to write found issues/vulnerabilities |
| 93 | + | #output: |
| 94 | + | |
| 95 | + | # display findings only |
| 96 | + | # silent: true |
| 97 | + | |
| 98 | + | # disable output content coloring (ansi escape codes) |
| 99 | + | #no-color: false |
| 100 | + | |
| 101 | + | # write output in jsonl(ines) format |
| 102 | + | # json: true |
| 103 | + | |
| 104 | + | # include request/response pairs in the jsonl output (for findings only) |
| 105 | + | #include-rr: false |
| 106 | + | |
| 107 | + | # don't display match metadata |
| 108 | + | #no-meta: false |
| 109 | + | |
| 110 | + | # don't display timestamp metadata in cli output |
| 111 | + | #no-timestamp: false |
| 112 | + | |
| 113 | + | # local nuclei reporting database (always use this to persist report data) |
| 114 | + | #report-db: |
| 115 | + | |
| 116 | + | # show optional match failure status |
| 117 | + | #matcher-status: false |
| 118 | + | |
| 119 | + | # directory to export results in markdown format |
| 120 | + | #markdown-export: |
| 121 | + | |
| 122 | + | # file to export results in sarif format |
| 123 | + | #sarif-export: |
| 124 | + | |
| 125 | + | # path to the nuclei configuration file |
| 126 | + | #config: |
| 127 | + | |
| 128 | + | # nuclei reporting module configuration file |
| 129 | + | #report-config: |
| 130 | + | |
| 131 | + | # custom headers in header:value format |
| 132 | + | #header: [] |
| 133 | + | |
| 134 | + | # custom vars in var=value format |
| 135 | + | #var: |
| 136 | + | |
| 137 | + | # file containing resolver list for nuclei |
| 138 | + | #resolvers: |
| 139 | + | |
| 140 | + | # use system dns resolving as error fallback |
| 141 | + | #system-resolvers: false |
| 142 | + | |
| 143 | + | # enable passive http response processing mode |
| 144 | + | #passive: false |
| 145 | + | |
| 146 | + | # enable environment variables to be used in template |
| 147 | + | #env-vars: false |
| 148 | + | |
| 149 | + | # client certificate file (pem-encoded) used for authenticating against scanned hosts |
| 150 | + | #client-cert: |
| 151 | + | |
| 152 | + | # client key file (pem-encoded) used for authenticating against scanned hosts |
| 153 | + | #client-key: |
| 154 | + | |
| 155 | + | # client certificate authority file (pem-encoded) used for authenticating against scanned hosts |
| 156 | + | #client-ca: |
| 157 | + | |
| 158 | + | # use ztls library with autofallback to standard one for tls13 |
| 159 | + | #ztls: false |
| 160 | + | |
| 161 | + | # interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) |
| 162 | + | #interactsh-server: |
| 163 | + | |
| 164 | + | # authentication token for self-hosted interactsh server |
| 165 | + | #interactsh-token: |
| 166 | + | |
| 167 | + | # number of requests to keep in the interactions cache |
| 168 | + | #interactions-cache-size: 5000 |
| 169 | + | |
| 170 | + | # number of seconds to wait before evicting requests from cache |
| 171 | + | #interactions-eviction: 60 |
| 172 | + | |
| 173 | + | # number of seconds to wait before each interaction poll request |
| 174 | + | #interactions-poll-duration: 5 |
| 175 | + | |
| 176 | + | # extra time for interaction polling before exiting |
| 177 | + | #interactions-cooldown-period: 5 |
| 178 | + | |
| 179 | + | # disable interactsh server for oast testing, exclude oast based templates |
| 180 | + | #no-interactsh: false |
| 181 | + | |
| 182 | + | # maximum number of requests to send per second |
| 183 | + | # rate-limit: 250 |
| 184 | + | |
| 185 | + | # maximum number of requests to send per minute |
| 186 | + | #rate-limit-minute: 0 |
| 187 | + | |
| 188 | + | # maximum number of hosts to be analyzed in parallel per template |
| 189 | + | #bulk-size: 25 |
| 190 | + | |
| 191 | + | # maximum number of templates to be executed in parallel |
| 192 | + | #concurrency: 20 |
| 193 | + | |
| 194 | + | # maximum number of headless hosts to be analyzed in parallel per template |
| 195 | + | #headless-bulk-size: 10 |
| 196 | + | |
| 197 | + | # maximum number of headless templates to be executed in parallel |
| 198 | + | #headless-concurrency: 10 |
| 199 | + | |
| 200 | + | # time to wait in seconds before timeout |
| 201 | + | #timeout: 5 |
| 202 | + | |
| 203 | + | # number of times to retry a failed request |
| 204 | + | #retries: 1 |
| 205 | + | |
| 206 | + | # leave default http/https ports (eg. host:80,host:443 |
| 207 | + | #leave-default-ports: false |
| 208 | + | |
| 209 | + | # max errors for a host before skipping from scan |
| 210 | + | #max-host-error: 30 |
| 211 | + | |
| 212 | + | # use a project folder to avoid sending same request multiple times |
| 213 | + | #project: false |
| 214 | + | |
| 215 | + | # set a specific project path |
| 216 | + | #project-path: /tmp |
| 217 | + | |
| 218 | + | # stop processing http requests after the first match (may break template/workflow logic) |
| 219 | + | #stop-at-first-path: false |
| 220 | + | |
| 221 | + | # stream mode - start elaborating without sorting the input |
| 222 | + | #stream: false |
| 223 | + | |
| 224 | + | # enable templates that require headless browser support (root user on linux will disable sandbox) |
| 225 | + | #headless: false |
| 226 | + | |
| 227 | + | # seconds to wait for each page in headless mode |
| 228 | + | #page-timeout: 20 |
| 229 | + | |
| 230 | + | # show the browser on the screen when running templates with headless mode |
| 231 | + | #show-browser: false |
| 232 | + | |
| 233 | + | # use local installed chrome browser instead of nuclei installed |
| 234 | + | #system-chrome: false |
| 235 | + | |
| 236 | + | # show all requests and responses |
| 237 | + | #debug: false |
| 238 | + | |
| 239 | + | # show all sent requests |
| 240 | + | #debug-req: false |
| 241 | + | |
| 242 | + | # show all received responses |
| 243 | + | #debug-resp: false |
| 244 | + | |
| 245 | + | # list of http(s)/socks5 proxy to use (comma separated or file input) |
| 246 | + | #proxy: [] |
| 247 | + | |
| 248 | + | # file to write sent requests trace log |
| 249 | + | #trace-log: |
| 250 | + | |
| 251 | + | # file to write sent requests error log |
| 252 | + | #error-log: |
| 253 | + | |
| 254 | + | # show nuclei version |
| 255 | + | #version: false |
| 256 | + | |
| 257 | + | # show verbose output |
| 258 | + | #verbose: false |
| 259 | + | |
| 260 | + | # display templates loaded for scan |
| 261 | + | #vv: false |
| 262 | + | |
| 263 | + | # shows the version of the installed nuclei-templates |
| 264 | + | #templates-version: false |
| 265 | + | |
| 266 | + | # update nuclei engine to the latest released version |
| 267 | + | #update: false |
| 268 | + | |
| 269 | + | # update nuclei-templates to latest released version |
| 270 | + | #update-templates: false |
| 271 | + | |
| 272 | + | # overwrite the default directory to install nuclei-templates |
| 273 | + | #update-directory: /root/nuclei-templates |
| 274 | + | |
| 275 | + | # disable automatic nuclei/templates update check |
| 276 | + | #disable-update-check: false |
| 277 | + | |
| 278 | + | # display statistics about the running scan |
| 279 | + | #stats: false |
| 280 | + | |
| 281 | + | # write statistics data to an output file in jsonl(ines) format |
| 282 | + | #stats-json: false |
| 283 | + | |
| 284 | + | # number of seconds to wait between showing a statistics update |
| 285 | + | #stats-interval: 5 |
| 286 | + | |
| 287 | + | # expose nuclei metrics on a port |
| 288 | + | #metrics: false |
| 289 | + | |
| 290 | + | # port to expose nuclei metrics on |