Skip to content

Jostif/nuclei-templates

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
auth
auth
 
 
exposure
exposure
 
 
injection
injection
 
 
misconfig
misconfig
 
 
recon
recon
 
 
takeover
takeover
 
 
README.md
README.md
 
 

Repository files navigation

nuclei-templates

Custom Nuclei templates for bug bounty hunting and penetration testing. Written from real findings and HTB web machine experience.

Legal notice: Use only against targets you own or have explicit written authorization to test.

Template categories

Folder Coverage
auth/ JWT attacks, default credentials, auth bypass
exposure/ .git, .env, backup files, source disclosure
injection/ SSTI, SSRF, open redirect
misconfig/ CORS, security headers, GraphQL introspection
recon/ Tech fingerprinting, API endpoint discovery
takeover/ Subdomain takeover via dangling CNAME

Usage

Run all templates against a target:

nuclei -u https://target.com -t .

Run a specific category:

nuclei -u https://target.com -t injection/
nuclei -u https://target.com -t auth/

Run against a list of targets:

nuclei -l targets.txt -t . -o results.txt

Run with severity filter:

nuclei -u https://target.com -t . -severity critical,high

Full recon pipeline:

subfinder -d target.com | httpx | nuclei -t .

Template index

auth/

  • jwt-none-alg.yaml — JWT none algorithm bypass
  • jwt-weak-secret.yaml — JWT signed with common weak secrets
  • default-credentials.yaml — Default creds against login panels

exposure/

  • git-exposed.yaml — Exposed .git directory
  • env-file-exposed.yaml — Exposed .env file with secrets
  • backup-files.yaml — Accessible backup/dump files

injection/

  • ssti-detection.yaml — SSTI via multi-engine math payload
  • ssrf-internal-probe.yaml — SSRF probing metadata and localhost
  • open-redirect.yaml — Open redirect parameter fuzzing

misconfig/

  • cors-misconfig.yaml — CORS origin reflection with credentials
  • security-headers-missing.yaml — Missing security headers
  • graphql-introspection.yaml — GraphQL introspection enabled

recon/

  • tech-fingerprint.yaml — Framework and tech detection
  • api-endpoint-discovery.yaml — Swagger, OpenAPI, versioned routes

takeover/

  • subdomain-takeover-cname.yaml — Dangling CNAME detection

Author

J0stif — penetration tester, bug bounty hunter PNPT · PWPA · CEH · OSCP (in progress) · HTB CPTS (in progress) · HTB CWES (in progress)

HTB Profile · Writeups & Notes · X social

About

No description or website provided.

Topics

jwt penetration-testing bug-bounty nuclei ssrf oscp htb ssti nuclei-templates

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors