Pro ↑Phase 4 · Injection & Active Tests

Nuclei

8000+ templates, JSONL output. Part of AuditCore's automated security audit pipeline — runs on every scan in the Pro tier and above, with findings normalized into a single severity-rated table.

What is Nuclei?

Nuclei is ProjectDiscovery's template-based vulnerability scanner — fundamentally different from a traditional fuzzer. Instead of trying random payloads, Nuclei runs against a community-maintained library of 8,000+ YAML templates, each encoding a specific known vulnerability (a CVE, a misconfiguration, an exposed admin panel). For AuditCore, this means every Pro+ scan checks your target against the exact same template set that bug-bounty hunters use to find low-hanging vulnerabilities for $$$$ payouts.

We pull the official `nuclei-templates` repo on every scanner update, so a CVE published Monday becomes a Nuclei template by Tuesday and an AuditCore finding by Wednesday. Templates cover: known-vulnerable web apps (WordPress plugins with CVEs, Confluence RCEs, Spring Boot Actuator exposures), exposed admin panels (phpMyAdmin, Jenkins, Grafana, Kubernetes dashboards), default credentials (hundreds of vendor combinations), info-disclosure (`.env`, `.git`, `swagger.json`, AWS metadata IMDSv1), and active exploits for high-impact CVEs (Log4Shell, Spring4Shell, Confluence OGNL, Citrix NetScaler).

Nuclei runs at the end of the injection phase, after ZAP has finished. We invoke it with `-rate-limit 50 -concurrency 25 -severity critical,high,medium -j` (JSONL output for machine parsing). Templates tagged `intrusive` or `dos` are excluded — Nuclei has those for red-team use cases that AuditCore deliberately avoids.

The big value: Nuclei finds the things you didn't know to look for. A typical SaaS audit might surface 0-3 ZAP findings (the team patched the obvious ones) but Nuclei adds another 5-15 findings around stale dependencies, exposed dev tooling, and CVEs in transitive infrastructure (CDN admin endpoints, monitoring dashboards). Bug-bounty hunters earn a living from this gap.

What it tests

8,000+ community-maintained vulnerability templates (auto-updated)
Known-CVE detection for popular software (WordPress, Drupal, Spring Boot, Apache, nginx, Jenkins, Confluence, Jira, GitLab, Kubernetes)
Exposed admin panels (phpMyAdmin, Adminer, Grafana, Kibana, K8s dashboard, RabbitMQ, Elasticsearch, Memcached, MongoDB, Redis)
Default credentials across hundreds of vendor combinations
Information disclosure: `.env`, `.git/config`, `swagger.json`, `actuator/env`, `wp-config.php` backups, source maps
Cloud metadata exposure (AWS IMDSv1, GCP, Azure)
SSRF gadgets (specific known patterns in WordPress, Joomla, Confluence)
DNS/subdomain takeover detection (CNAME → unclaimed service)
Misconfigurations (open S3 buckets, missing headers, CORS wildcards)
Active exploitation of critical CVEs (Log4Shell, Spring4Shell, Confluence OGNL, etc.)

Where it runs in the AuditCore pipeline

Phase 4/5 · Injection & Active Tests
Active payload-based scanning — SQL, NoSQL, command, template, XXE, SSRF, prototype pollution, race conditions, AI prompt injection, business-logic abuse, plus full ZAP / Nuclei / sqlmap.

Source: scanners/nuclei_scanner.py

Sample findings

Spring Boot Actuator /env exposed without auth

Critical. The `/actuator/env` endpoint is reachable without authentication and reveals the full application config including database credentials, JWT secrets, and OAuth client secrets. Mitigation: add `management.endpoints.web.exposure.include=health,info` to expose only safe endpoints, or put Actuator behind Spring Security with role-based access.

WordPress plugin with known RCE (CVE-2024-XXXX)

Critical. Detected `wp-content/plugins/<vulnerable-plugin>/readme.txt` revealing version 2.3.0 — vulnerable to authenticated RCE. Mitigation: update plugin, or remove if unmaintained. Run AuditCore's WordPress scanner for full plugin inventory.

Exposed .git directory at /.git/HEAD

High. The repository's `.git` folder is web-accessible. Tools like `git-dumper` can reconstruct full source code, commit history, and any committed secrets. Mitigation: nginx `location ~ /\.git { deny all; }` or Apache `<DirectoryMatch "^/.*/\.git/">Require all denied</DirectoryMatch>`.

AWS IMDSv1 metadata endpoint reachable via SSRF

Critical. The application makes server-side HTTP requests to user-supplied URLs, and `http://169.254.169.254/latest/meta-data/iam/security-credentials/` returns the EC2 instance role's temporary AWS credentials. Mitigation: enforce IMDSv2 (`aws ec2 modify-instance-metadata-options --http-tokens required`) and add SSRF allow-listing to the upstream code path.

Available in Pro tier and above

Real vulnerability scanning. Adds ZAP, Nuclei, Nikto, subdomain discovery, JWT analysis, GraphQL introspection, recording proxy. Per-domain license — pay once, rescan unlimited.

Other injection & active tests scanners

CORS Misconfiguration Checker

wildcard+creds, reflected origin, null origin

SEO Auditor

70+ checks, 20 pages (see SEO section below)

XXE Scanner

XML entity injection, file read, SSRF via DTD

SSTI Scanner

Jinja2/Twig/Freemarker/ERB template injection

FAQ

How often does AuditCore update its Nuclei template set?

Templates are pulled fresh on every scanner Docker image rebuild. We rebuild weekly as part of normal maintenance, plus immediately when a critical CVE drops (Log4Shell, etc.). The templates repository on ProjectDiscovery's GitHub is updated by the community within hours of most disclosures.

Why doesn't AuditCore enable Nuclei's `intrusive` templates?

Intrusive templates can cause damage: writing files, modifying configs, triggering DoS conditions. They're meant for sanctioned red-team engagements with explicit authorization. AuditCore is a continuous-scanning product running against customer-owned domains; we never want to break what we're scanning.

Will Nuclei detect zero-day vulnerabilities?

No — by definition, a zero-day has no template yet. Nuclei is excellent at detecting known vulnerabilities very quickly after disclosure (often same day). For zero-day-class issues, AuditCore relies on the active scanners (ZAP, sqlmap, custom injection scanners, AI Context Scanner) which test for vulnerability classes rather than specific CVEs.

How does Nuclei compare to commercial vuln scanners (Tenable, Qualys)?

Tenable/Qualys/Rapid7 maintain their own vulnerability databases with vendor support contracts. They're more comprehensive for enterprise OS/network scanning (think: Windows hotfixes, switch firmware). For modern web app + cloud, Nuclei is on par or better — its template ecosystem has 100+ contributors who add CVEs faster than commercial vendors and the templates are open-source so you can audit what's being checked.

Can I add custom Nuclei templates for AuditCore to run?

Not yet via self-serve. Custom templates are on the roadmap for the Enterprise tier — useful for org-specific signatures (e.g. 'detect our deprecated internal API endpoint'). Contact us if this is a blocker.