Nuclei Scanner Interview Preparation — คู่มือเตรียมสัมภาษณ์
Nuclei เป็น open-source vulnerability scanner จาก ProjectDiscovery ที่ใช้ template-based approach ในการสแกนหา vulnerabilities, misconfigurations และ security issues เป็นเครื่องมือยอดนิยมในวงการ cybersecurity ทั้ง bug bounty hunters, penetration testers และ security engineers การเตรียมตัวสัมภาษณ์ตำแหน่ง security engineer ต้องรู้จัก Nuclei อย่างลึกซึ้ง ทั้งการใช้งาน การเขียน custom templates และการ integrate เข้า CI/CD pipelines บทความนี้รวบรวมคำถามสัมภาษณ์ที่พบบ่อย พร้อมคำตอบและ Python automation tools
Nuclei Fundamentals
# nuclei_basics.py — Nuclei scanner fundamentals
import json
class NucleiBasics:
FEATURES = {
"template_based": {
"name": "Template-Based Scanning",
"description": "ใช้ YAML templates กำหนด detection logic — community มี 8,000+ templates",
},
"fast": {
"name": "High Performance",
"description": "เขียนด้วย Go — สแกนเร็วมาก รองรับ parallel execution",
},
"custom": {
"name": "Custom Templates",
"description": "เขียน template เองได้ — ตรวจจับ vulnerabilities เฉพาะทาง",
},
"protocols": {
"name": "Multi-Protocol",
"description": "รองรับ HTTP, DNS, TCP, SSL, File, Headless, Code, JavaScript",
},
"cicd": {
"name": "CI/CD Integration",
"description": "ใช้ใน pipeline ได้ — GitHub Actions, GitLab CI, Jenkins",
},
}
COMMANDS = """
# Nuclei basic commands
# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Update templates
nuclei -update-templates
# Scan single target
nuclei -u https://example.com
# Scan with specific templates
nuclei -u https://example.com -t cves/ -t misconfigurations/
# Scan with severity filter
nuclei -u https://example.com -severity critical, high
# Scan multiple targets
nuclei -l targets.txt -o results.txt
# Scan with rate limiting
nuclei -u https://example.com -rate-limit 100 -concurrency 25
# JSON output
nuclei -u https://example.com -json -o results.json
# Custom template
nuclei -u https://example.com -t my-custom-template.yaml
"""
def show_features(self):
print("=== Nuclei Features ===\n")
for key, feat in self.FEATURES.items():
print(f"[{feat['name']}]")
print(f" {feat['description']}")
print()
def show_commands(self):
print("=== Basic Commands ===")
print(self.COMMANDS[:500])
basics = NucleiBasics()
basics.show_features()
basics.show_commands()Interview Questions & Answers
# interview_qa.py — Common Nuclei interview questions
import json
class InterviewQA:
QUESTIONS = {
"q1": {
"question": "Nuclei คืออะไร และต่างจาก Nessus/Burp Suite อย่างไร?",
"answer": "Nuclei เป็น open-source template-based scanner — เร็ว customizable community-driven. Nessus: commercial, comprehensive แต่แพง. Burp Suite: web app focused, interactive proxy. Nuclei: automation-first, CI/CD friendly, 8000+ community templates.",
},
"q2": {
"question": "Nuclei template มีโครงสร้างอย่างไร?",
"answer": "YAML format ประกอบด้วย: id (unique identifier), info (metadata, severity, tags), requests/http (request definition), matchers (detection logic), extractors (data extraction). Template types: HTTP, DNS, TCP, SSL, File, Headless, Code.",
},
"q3": {
"question": "อธิบาย matcher types ใน Nuclei",
"answer": "status: match HTTP status code. word: match string in response. regex: match regex pattern. binary: match binary data. dsl: complex conditions (e.g., status_code == 200 && contains(body, 'admin')). size: match response size. ใช้ condition: and/or สำหรับรวมหลาย matchers.",
},
"q4": {
"question": "วิธี integrate Nuclei เข้า CI/CD pipeline?",
"answer": "GitHub Actions: ใช้ nuclei-action. GitLab CI: docker image projectdiscovery/nuclei. Jenkins: shell step. วิธี: scan staging before production deploy, fail pipeline on critical/high findings, send results to Slack/Jira. ใช้ -severity critical, high -fail-on critical.",
},
"q5": {
"question": "วิธีเขียน custom template สำหรับ detect specific vulnerability?",
"answer": "1) วิเคราะห์ vulnerability (CVE details, PoC) 2) สร้าง YAML template: กำหนด request path/method/body 3) เขียน matchers ตาม vulnerable response 4) Test กับ vulnerable target 5) Validate ไม่มี false positive 6) Submit to nuclei-templates repo (optional).",
},
"q6": {
"question": "Nuclei รองรับ authenticated scanning ไหม?",
"answer": "ได้ — ใช้ cookie header, Authorization header, หรือ raw request with login flow. วิธี: 1) Cookie: -H 'Cookie: session=xxx' 2) Bearer token: -H 'Authorization: Bearer xxx' 3) Template: ใช้ requests chain — login request → extract token → use in subsequent requests.",
},
}
def show_questions(self):
print("=== Interview Questions ===\n")
for key, qa in self.QUESTIONS.items():
print(f"Q: {qa['question']}")
print(f"A: {qa['answer'][:150]}...")
print()
qa = InterviewQA()
qa.show_questions()Custom Template Writing
# templates.py — Writing custom Nuclei templates
import json
class CustomTemplates:
BASIC_TEMPLATE = """
# basic-check.yaml — Basic Nuclei template
id: custom-admin-panel-check
info:
name: Admin Panel Detection
author: security-team
severity: info
description: Detect exposed admin panels
tags: admin, panel, exposure
http:
- method: GET
path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/admin/login"
- "{{BaseURL}}/wp-admin"
- "{{BaseURL}}/administrator"
matchers-condition: or
matchers:
- type: word
words:
- "admin"
- "login"
- "dashboard"
condition: or
- type: status
status:
- 200
- 302
"""
CVE_TEMPLATE = """
# cve-2024-xxxx.yaml — CVE detection template
id: cve-2024-example-rce
info:
name: Example RCE CVE-2024-XXXX
author: security-team
severity: critical
description: Remote Code Execution in Example App
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-XXXX
tags: cve, cve2024, rce, example
http:
- raw:
- |
POST /api/eval HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"expression": "{{cmd}}"}
payloads:
cmd:
- "id"
- "whoami"
matchers-condition: and
matchers:
- type: regex
regex:
- "uid=[0-9]+.*gid=[0-9]+"
- "(root|www-data|nobody)"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "uid=[0-9]+\\(([a-z]+)\\)"
group: 1
"""
WORKFLOW = """
# recon-workflow.yaml — Nuclei workflow
id: recon-workflow
info:
name: Full Recon Workflow
author: security-team
workflows:
- template: technologies/tech-detect.yaml
subtemplates:
- tags: wordpress
templates:
- wordpress/
- tags: jira
templates:
- jira/
- tags: nginx
templates:
- misconfigurations/nginx/
"""
def show_basic(self):
print("=== Basic Template ===")
print(self.BASIC_TEMPLATE[:500])
def show_cve(self):
print("\n=== CVE Template ===")
print(self.CVE_TEMPLATE[:500])
templates = CustomTemplates()
templates.show_basic()
templates.show_cve()Python Automation
# automation.py — Python Nuclei automation
import json
class NucleiAutomation:
CODE = """
# nuclei_automation.py — Automate Nuclei scanning
import subprocess
import json
from pathlib import Path
from datetime import datetime
class NucleiRunner:
def __init__(self, nuclei_path="nuclei"):
self.nuclei_path = nuclei_path
def scan(self, target, templates=None, severity=None,
rate_limit=150, concurrency=25, timeout=10):
'''Run Nuclei scan'''
cmd = [
self.nuclei_path,
"-u", target,
"-json",
"-rate-limit", str(rate_limit),
"-concurrency", str(concurrency),
"-timeout", str(timeout),
"-silent",
]
if templates:
for t in templates:
cmd.extend(["-t", t])
if severity:
cmd.extend(["-severity", severity])
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
findings = []
for line in result.stdout.strip().split('\\n'):
if line:
try:
findings.append(json.loads(line))
except:
pass
return findings
def scan_multiple(self, targets_file, output_file, severity="critical, high"):
'''Scan multiple targets from file'''
cmd = [
self.nuclei_path,
"-l", targets_file,
"-json",
"-o", output_file,
"-severity", severity,
"-silent",
]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=3600)
return result.returncode == 0
def generate_report(self, findings):
'''Generate scan report'''
severity_count = {}
for f in findings:
sev = f.get('info', {}).get('severity', 'unknown')
severity_count[sev] = severity_count.get(sev, 0) + 1
report = {
'scan_date': datetime.utcnow().isoformat(),
'total_findings': len(findings),
'severity_breakdown': severity_count,
'critical': [f for f in findings if f.get('info', {}).get('severity') == 'critical'],
'high': [f for f in findings if f.get('info', {}).get('severity') == 'high'],
}
return report
def compare_scans(self, previous, current):
'''Compare two scans to find new findings'''
prev_ids = {f.get('template-id') + f.get('matched-at', '') for f in previous}
new_findings = [
f for f in current
if f.get('template-id') + f.get('matched-at', '') not in prev_ids
]
return {
'previous_count': len(previous),
'current_count': len(current),
'new_findings': len(new_findings),
'details': new_findings,
}
# runner = NucleiRunner()
# findings = runner.scan("https://example.com", severity="critical, high")
# report = runner.generate_report(findings)
"""
def show_code(self):
print("=== Nuclei Automation ===")
print(self.CODE[:600])
auto = NucleiAutomation()
auto.show_code()CI/CD Integration
# cicd.py — Nuclei CI/CD integration
import json
class NucleiCICD:
GITHUB_ACTIONS = """
# .github/workflows/security-scan.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6am
jobs:
nuclei-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: https://staging.example.com
flags: "-severity critical, high -json"
output: nuclei-results.json
- name: Parse Results
run: |
CRITICAL=$(cat nuclei-results.json | jq '[.[] | select(.info.severity=="critical")] | length')
HIGH=$(cat nuclei-results.json | jq '[.[] | select(.info.severity=="high")] | length')
echo "Critical: $CRITICAL, High: $HIGH"
if [ "$CRITICAL" -gt 0 ]; then
echo "CRITICAL vulnerabilities found!"
exit 1
fi
- name: Upload Results
if: always()
uses: actions/upload-artifact@v4
with:
name: nuclei-results
path: nuclei-results.json
- name: Notify Slack
if: failure()
uses: slackapi/slack-github-action@v1
with:
payload: |
{"text": "Security scan FAILED - critical vulnerabilities found!"}
"""
BEST_PRACTICES = [
"Scan staging ก่อน production deploy ทุกครั้ง",
"Fail pipeline เฉพาะ critical/high — info/medium เป็น warning",
"ใช้ rate limiting เพื่อไม่ DDoS target ตัวเอง",
"เก็บ results เปรียบเทียบกับ scan ก่อนหน้า — หา new findings",
"สร้าง custom templates สำหรับ application-specific vulnerabilities",
"Update templates ทุกสัปดาห์ — CVEs ใหม่มาตลอด",
"Exclude false positives ด้วย -exclude-templates flag",
]
def show_github(self):
print("=== GitHub Actions ===")
print(self.GITHUB_ACTIONS[:500])
def show_practices(self):
print(f"\n=== Best Practices ===")
for bp in self.BEST_PRACTICES:
print(f" • {bp}")
cicd = NucleiCICD()
cicd.show_github()
cicd.show_practices()FAQ - คำถามที่พบบ่อย
Q: Nuclei เหมาะสำหรับงานอะไร?
A: Bug bounty: recon + vulnerability scanning อัตโนมัติ Pentest: automated scanning phase ก่อน manual testing DevSecOps: CI/CD security scanning — scan ทุก deploy Red team: attack surface discovery + known CVE detection ไม่เหมาะ: deep manual testing, business logic vulnerabilities (ต้องใช้ Burp Suite)
Q: Nuclei กับ OWASP ZAP อันไหนดีกว่า?
A: Nuclei: template-based, เร็วกว่า, CI/CD friendly, known CVEs detection ดีมาก ZAP: active scanner, crawling, DAST, interactive proxy, business logic testing ใช้ร่วมกัน: Nuclei สำหรับ known vulnerabilities + misconfigurations, ZAP สำหรับ DAST + active crawling
Q: เขียน custom template ยากไหม?
A: ไม่ยาก — YAML format อ่านง่าย เริ่มจาก: copy template ที่คล้ายกัน → แก้ path, matchers, extractors เรียนรู้: อ่าน existing templates ใน nuclei-templates repo documentation: templates.nuclei.sh — อธิบายทุก feature ฝึก: สร้าง template สำหรับ detect technology stack ของ application ตัวเอง
Q: False positive จัดการยังไง?
A: Exclude templates: -exclude-templates path/to/template.yaml Exclude IDs: -exclude-id template-id1, template-id2 Validate: ตรวจสอบ findings ด้วยมือก่อน report Custom matchers: เขียน matcher ให้แม่นยำขึ้น — ใช้ DSL conditions Baseline: เก็บ known false positives → filter ออกจาก results อัตโนมัติ
