Nuclei Scanner Tech Conference 2026

Q: Nuclei Scanner คืออะไร

Nuclei เป็น Open Source Vulnerability Scanner จาก ProjectDiscovery ใช้ Template-based Scanning ส่ง HTTP Request ตรวจช่องโหว่อัตโนมัติ มี Community Templates กว่า 6000 รายการ ครอบคลุม CVE Misconfigurations Exposed Panels Default Logins DNS Takeover รองรับ Protocol หลายแบบ HTTP DNS TCP SSL File Network Code มี Severity Rating Info Low Medium High Critical ใช้ภาษา Go เร็วมาก Scan 1000 Target ใน 1 นาที

Q: Template System ทำงานอย่างไร

Template เขียนด้วย YAML กำหนด Request ที่จะส่ง กำหนด Matcher ตรวจ Response ว่ามีช่องโหว่หรือไม่ matcher-condition กำหนดว่าต้อง Match ทุกเงื่อนไขหรือบางเงื่อนไข Extractor ดึงข้อมูลจาก Response เช่น Version Number มี Workflow รัน Template หลายตัวตามลำดับ มี Variables ใช้ค่าจาก Template ก่อนหน้า มี Helper Functions เช่น base64 md5 sha256 ใช้ Interactsh สำหรับ Out-of-band Testing

Q: เขียน Custom Template อย่างไร

สร้างไฟล์ YAML กำหนด id info severity requests matchers ตั้ง id ไม่ซ้ำ กำหนด info มี name author severity description กำหนด requests ส่ง HTTP Request ไปยัง Target กำหนด matchers ตรวจ Response เช่น status word regex กำหนด extractors ดึงข้อมูล ทดสอบด้วย nuclei -t template.yaml -u target.com ใช้ nuclei -validate ตรวจ Syntax ใช้ -debug ดู Request Response ทั้งหมด

Q: ใช้ใน CI/CD อย่างไร

เพิ่ม Nuclei Scan Step ใน Pipeline รัน Scan หลัง Deploy ใช้ Docker Image projectdiscovery/nuclei กำหนด Severity Threshold เช่น Fail ถ้ามี High Critical ส่ง Report เป็น JSON SARIF Markdown ส่งผลไป GitHub Security Tab หรือ DefectDojo รัน Scan ทุกคืน Nightly สำหรับ Full Scan รัน Quick Scan ทุก PR สำหรับ Common Vulns ใช้ -severity critical,high กรองเฉพาะที่สำคัญ

Nuclei Scanner

Nuclei Scanner Template Vulnerability CVE Misconfigurations Bug Bounty CI/CD Enterprise Security ProjectDiscovery YAML Go Protocol

Feature	Description	Template Count	Use Case
CVE Detection	Known vulnerabilities	3000+	Patch management
Misconfigurations	Server/app misconfig	1000+	Hardening
Exposed Panels	Admin panels, dashboards	500+	Attack surface
Default Logins	Default credentials	300+	Access control
Takeovers	DNS/subdomain takeover	100+	Domain security
Technologies	Tech stack detection	500+	Reconnaissance

Installation and Usage

# === Nuclei Setup and Scanning ===

# Install
# go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# or
# docker pull projectdiscovery/nuclei:latest

# Update templates
# nuclei -update-templates

# Basic scan
# nuclei -u https://target.com

# Scan with specific severity
# nuclei -u https://target.com -severity critical, high

# Scan with specific templates
# nuclei -u https://target.com -t cves/ -t misconfigurations/

# Scan multiple targets
# nuclei -l targets.txt -severity critical, high -o results.txt

# JSON output for automation
# nuclei -u https://target.com -json -o results.json

# Rate limiting
# nuclei -u https://target.com -rate-limit 100 -bulk-size 25 -concurrency 10

# Scan with custom headers
# nuclei -u https://target.com -H "Authorization: Bearer TOKEN"

# Exclude certain templates
# nuclei -u https://target.com -exclude-tags dos, fuzz

from dataclasses import dataclass

@dataclass
class ScanProfile:
    profile: str
    templates: str
    severity: str
    rate_limit: int
    duration: str
    use_case: str

profiles = [
    ScanProfile("Quick Scan", "-t exposed-panels/ -t technologies/",
        "info, low", 150, "1-5 min", "Every PR / deploy"),
    ScanProfile("Standard Scan", "-t cves/ -t misconfigurations/",
        "medium, high, critical", 100, "10-30 min", "Weekly"),
    ScanProfile("Full Scan", "All templates",
        "all", 50, "1-4 hours", "Monthly / quarterly"),
    ScanProfile("Bug Bounty", "-t cves/ -t takeovers/ -t exposures/",
        "high, critical", 100, "30-60 min", "Per program"),
    ScanProfile("Compliance", "-t misconfigurations/ -t ssl/",
        "medium, high", 100, "15-30 min", "Compliance audit"),
]

print("=== Scan Profiles ===")
for p in profiles:
    print(f"  [{p.profile}] Templates: {p.templates}")
    print(f"    Severity: {p.severity} | Rate: {p.rate_limit}/s")
    print(f"    Duration: {p.duration} | Use: {p.use_case}")

Custom Template

# === Custom Nuclei Template ===

# my-custom-check.yaml
# id: my-admin-panel-check
# info:
#   name: Admin Panel Detection
#   author: myteam
#   severity: medium
#   description: Detects exposed admin panels
#   tags: admin, panel, exposure
#
# http:
#   - method: GET
#     path:
#       - "{{BaseURL}}/admin"
#       - "{{BaseURL}}/admin/login"
#       - "{{BaseURL}}/wp-admin"
#       - "{{BaseURL}}/administrator"
#       - "{{BaseURL}}/panel"
#
#     matchers-condition: and
#     matchers:
#       - type: status
#         status:
#           - 200
#       - type: word
#         words:
#           - "login"
#           - "password"
#           - "admin"
#         condition: or
#
#     extractors:
#       - type: regex
#         regex:
#           - '(.*?)'
#         group: 1

# Advanced: Multi-step with variables
# id: api-key-leak
# info:
#   name: API Key Leak Detection
#   author: myteam
#   severity: high
#
# http:
#   - method: GET
#     path:
#       - "{{BaseURL}}/.env"
#       - "{{BaseURL}}/config.json"
#       - "{{BaseURL}}/.git/config"
#
#     matchers:
#       - type: regex
#         regex:
#           - "(?i)(api[_-]?key|api[_-]?secret|access[_-]?token)\\s*[=:]\\s*['\"]?([a-zA-Z0-9_-]{20,})"
#
#     extractors:
#       - type: regex
#         name: leaked_key
#         regex:
#           - "(?i)(api[_-]?key|api[_-]?secret)\\s*[=:]\\s*['\"]?([a-zA-Z0-9_-]{20,})"
#         group: 2

# Validate template
# nuclei -validate -t my-custom-check.yaml
# nuclei -t my-custom-check.yaml -u https://target.com -debug

@dataclass
class TemplateExample:
    name: str
    severity: str
    type: str
    matcher: str
    finding: str

examples = [
    TemplateExample("CVE-2024-XXXX", "critical", "HTTP",
        "Status 200 + specific response body",
        "Known vulnerability with exploit"),
    TemplateExample("Exposed .env file", "high", "HTTP",
        "Status 200 + regex for API keys",
        "Sensitive credentials exposed"),
    TemplateExample("Open redirect", "medium", "HTTP",
        "Status 302 + Location header match",
        "URL redirect manipulation"),
    TemplateExample("Missing security headers", "info", "HTTP",
        "Negative match for headers",
        "X-Frame-Options, CSP missing"),
    TemplateExample("SSL certificate expiry", "low", "SSL",
        "Certificate expiry < 30 days",
        "SSL cert about to expire"),
]

print("\nTemplate Examples:")
for e in examples:
    print(f"  [{e.severity.upper()}] {e.name}")
    print(f"    Type: {e.type} | Matcher: {e.matcher}")
    print(f"    Finding: {e.finding}")

CI/CD and Enterprise

# === CI/CD Integration ===

# GitHub Actions
# name: Nuclei Security Scan
# on:
#   push:
#     branches: [main]
#   schedule:
#     - cron: '0 2 * * *'
#
# jobs:
#   scan:
#     runs-on: ubuntu-latest
#     steps:
#       - uses: actions/checkout@v4
#       - uses: projectdiscovery/nuclei-action@main
#         with:
#           target: https://myapp.com
#           flags: "-severity critical, high -json"
#           output: nuclei-results.json
#       - name: Parse results
#         run: |
#           CRITICAL=$(jq '[.[] | select(.info.severity=="critical")] | length' nuclei-results.json)
#           if [ "$CRITICAL" -gt 0 ]; then
#             echo "CRITICAL vulnerabilities found!"
#             exit 1
#           fi
#       - uses: github/codeql-action/upload-sarif@v3
#         with:
#           sarif_file: nuclei-results.sarif

@dataclass
class EnterpriseFeature:
    feature: str
    description: str
    benefit: str
    tool: str

features = [
    EnterpriseFeature("Asset Discovery", "Discover all subdomains and services",
        "Complete attack surface visibility",
        "subfinder + httpx + nuclei pipeline"),
    EnterpriseFeature("Scheduled Scanning", "Automated recurring scans",
        "Continuous security monitoring",
        "Cron + nuclei + reporting"),
    EnterpriseFeature("Custom Templates", "Organization-specific checks",
        "Tailored security testing",
        "Private template repository"),
    EnterpriseFeature("Integration", "Send findings to tracking systems",
        "Streamlined remediation workflow",
        "DefectDojo, Jira, Slack webhooks"),
    EnterpriseFeature("Compliance", "Map findings to compliance frameworks",
        "Audit readiness",
        "OWASP Top 10, CIS, PCI DSS tags"),
    EnterpriseFeature("Reporting", "Executive and technical reports",
        "Stakeholder communication",
        "JSON, SARIF, Markdown, HTML"),
]

print("Enterprise Features:")
for f in features:
    print(f"  [{f.feature}] {f.description}")
    print(f"    Benefit: {f.benefit}")
    print(f"    Tool: {f.tool}")

เคล็ดลับ

Update: อัพเดท Templates ทุกสัปดาห์ มี CVE ใหม่ตลอด
Rate Limit: ตั้ง Rate Limit เหมาะสม ไม่ทำให้ Target ล่ม
Custom: เขียน Custom Template สำหรับ App เฉพาะขององค์กร
Pipeline: subfinder → httpx → nuclei เป็น Pipeline มาตรฐาน
Legal: Scan เฉพาะ Target ที่ได้รับอนุญาตเท่านั้น

Nuclei Scanner คืออะไร

Open Source Vulnerability Scanner ProjectDiscovery Template YAML CVE Misconfigurations Panels Default Logins DNS Takeover Go 6000 Templates

Template System ทำงานอย่างไร

YAML Request Matcher Response matcher-condition Extractor Version Workflow Variables Helper Functions base64 md5 Interactsh Out-of-band

เขียน Custom Template อย่างไร

YAML id info severity requests matchers status word regex extractors nuclei -validate -debug Test Target

ใช้ใน CI/CD อย่างไร

GitHub Actions Docker projectdiscovery/nuclei Severity Threshold JSON SARIF DefectDojo Nightly Full Scan PR Quick Scan Alert

สรุป

Nuclei Scanner Template YAML CVE Vulnerability Custom Templates CI/CD GitHub Actions Bug Bounty Enterprise Security Compliance Automation Production