ProjectDiscovery Part 2: nuclei
Continuing with the theme of running a pentest, nuclei is a logical next step in the discovery phase after subfinder, in that you have a bunch of targets and you’re going to scan them for known vulnerabilities.
The gist of vulnerability scanning is that there are databases of vulnerabilities scattered around the internet. My goto is the Common Vulnerabilities and Exposures (CVEs) database. These databases are not exhaustive; I’ve personally found and facilitated the remediation of dozens of exploitable oopsies and there are no CVEs (or really anything) with my name on them. Occasionally someone I worked with on an assessment will send me a CVE for something I found and we’ll share a sensible chuckle. See also,
- National Vulnerability Database (NVD)
- Exploit Database (Exploit-DB)
- Vulhub
- VulDB
- Packet Storm Security
- CERT/CC Vulnerability Notes Database
- Japan Vulnerability Notes (JVN)
- China National Vulnerability Database (CNVD)
- Open Source Vulnerability Database (OSVDB) — now archived
- Rapid7 Vulnerability & Exploit Database
- Tenable Research Advisories
- Snyk Vulnerability Database
- OSV (Open Source Vulnerabilities)
- GitHub Advisory Database
Each one of these might have a slightly different format. Possibly the Internet Illuminati are still bickering over who is right. I confess that I don’t pay a whole lot of attention to these meta concerns. There’s also apparently a massive problem with duplicates. It’s messy. At minimum, almost every serious vulnerability database will have:
- CVE ID (as a reference key, even if CVE didn’t originate it)
- CVSS score (v2, v3, v4, or some combination)
- Description (though wording varies)
- Affected product/vendor (in some form, even if inconsistently structured)
- Publication date
- References/links to advisories or patches
Vulnerability scanners ingest this information and perform some action or request and analyze whatever data is returned, looking for some information that might indicate possibly vulnerable software. Nuclei has nuclei-templates, which afaict are not purely from these databases but also things the ProjectDiscovery community found useful. Depending on the type of scanner and the access it has (e.g., it has creds), the results can contain anywhere from 10-50% false positives.
Never trust a scanner. Always verify the results. So why even use them? Because mapping the attack surface gives you somewhere to start. Because you’re a team of 2 people and you have 2 weeks and manual testing doesn’t scale well. Because if you don’t pick the low-hanging fruit, someone else will and that is Sofa King embarrassing.
Back to nuclei. Here’s what I did:
% go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# [... wait ...]
% nuclei -update-templates
# [... wait ...]
% nuclei -u https://bobotjones.com
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.7.0
projectdiscovery.io
[WRN] Found 1 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v3.7.0 (latest)
[INF] Current nuclei-templates version: v10.3.9 (latest)
[INF] New templates added in latest release: 11
[INF] Templates loaded for current scan: 9821
[WRN] Loading 2 unsigned templates for scan. Use with caution.
[INF] Executing 9819 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 2239 (Reduced 2114 Requests)
[INF] Using Interactsh Server: oast.me
[waf-detect:nginxgeneric] [http] [info] https://bobotjones.com
[tls-version] [ssl] [info] bobotjones.com:443 ["tls12"]
[tls-version] [ssl] [info] bobotjones.com:443 ["tls13"]
[http-missing-security-headers:permissions-policy] [http] [info] https://bobotjones.com
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://bobotjones.com
[http-missing-security-headers:clear-site-data] [http] [info] https://bobotjones.com
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://bobotjones.com
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://bobotjones.com
[http-missing-security-headers:strict-transport-security] [http] [info] https://bobotjones.com
[http-missing-security-headers:content-security-policy] [http] [info] https://bobotjones.com
[http-missing-security-headers:x-frame-options] [http] [info] https://bobotjones.com
[http-missing-security-headers:x-content-type-options] [http] [info] https://bobotjones.com
[http-missing-security-headers:referrer-policy] [http] [info] https://bobotjones.com
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://bobotjones.com
[rdap-whois:status] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["client transfer prohibited"]
[rdap-whois:registrationDate] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["2026-02-12T22:16:42Z"]
[rdap-whois:lastChangeDate] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["2026-02-12T22:16:43Z"]
[rdap-whois:expirationDate] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["2028-02-12T22:16:42Z"]
[rdap-whois:nameServers] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["X.NS.JOKER.COM","Y.NS.JOKER.COM","Z.NS.JOKER.COM"]
[rdap-whois:secureDNS] [http] [info] https://rdap.verisign.com/com/v1/domain/bobotjones.com ["false"]
[hugo-detect] [http] [info] https://bobotjones.com ["0.146.4"]
[metatag-cms] [http] [info] https://bobotjones.com ["Hugo 0.146.4"]
[caa-fingerprint] [dns] [info] bobotjones.com
[spf-record-detect] [dns] [info] bobotjones.com ["v=spf1 include:_spf.joker.email -all""]
[txt-fingerprint] [dns] [info] bobotjones.com [""v=spf1 include:_spf.joker.email -all""]
[nameserver-fingerprint] [dns] [info] bobotjones.com ["y.ns.joker.com.","z.ns.joker.com.","x.ns.joker.com."]
[aaaa-fingerprint] [dns] [info] bobotjones.com ["2a09:8280:1::d3:2f38:0"]
[srv-service-detect] [dns] [info] _autodiscover._tcp.bobotjones.com ["SRV\t1 0 443 autodiscover.joker.email."]
[mx-fingerprint] [dns] [info] bobotjones.com ["1 smtp.joker.email."]
[ssl-issuer] [ssl] [info] bobotjones.com:443 ["Let's Encrypt"]
[ssl-dns-names] [ssl] [info] bobotjones.com:443 ["bobotjones.com"]
[INF] Scan completed in 2m. 31 matches found.
Each line of nuclei output follows this format:
| Column | Meaning | Example |
|---|---|---|
| Template ID | The name of the specific template that detected the issue | http-missing-security-headers:x-content-type-options |
| Protocol | The protocol used for detection (http, dns, tcp, etc.) | [http] |
| Severity | Risk level of the finding (info, low, medium, high, critical) | [info] |
| Target URL | The domain/URL where the vulnerability was found | https://bobotjones.com |
| Additional Details | Optional extra info returned by the template (may be empty) | ["client transfer prohibited"] |
Alas, my domain is kinda boring. Nothing to see here. I suppose that’s a good thing. The next step in your pentest is to follow up on anything in the critical to medium range. For example, if I had gotten a positive for exposed-jquery-file-upload.yaml, I can see that this template has URLs under the references section, plus CVSS scores and other useful information, that I can review and figure out why I care.
I spent a few days reading through the nuclei-templates repo, looking at how the code uses them and playing with the various flags for nuclei. I learned something new, too! Somehow I have been pentesting for 20 years and I’ve never seen a DNS Service (SRV) records. The one and only email address I have set up with this domain is a joker.com mailbox service. When a mail client tries to autodiscover *@bobotjones.com, it does a DNS lookup, gets the SRV record back, and knows to contact autodiscover.joker.email on port 443 to fetch the mailbox configuration.
An historical note: ProjectDiscovery originated as an open source project started by Nizamul Rana (Ice3man543), Sandeep Singh, Marco Rivoli, and Rishiraj Sharma. Security engineers and/or bug bounty hunters, they were frustrated by the limitations of existing open source security tooling. Now, PD is not only a funded company but a healthy community. In cybersecurity, communities are everything.