nuclei

-snitls sni hostname to use (default: input domain name)

-varcustom vars in key=value format

-codeenable loading code protocol-based templates

-dastonly run DAST templates

-listList of target URLs/hosts to scan

-tagstemplates to run based on tags (comma-separated)

-typetemplates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript

-ztlsuse ztls library with autofallback to standard one for tls13

-debugshow all requests and responses

-jsonlwrite output in JSONL(ines) format

-proxylist of http/socks5 proxy to use (comma separated)

-resetreset removes all nuclei configuration and data files (including nuclei-templates)

-statsDisplay stats of the running scan.

-authortemplates to run based on authors (comma-separated)

-configpath to the nuclei configuration file

-headercustom header/cookie to include in all http requests in header:value format

-no-mhedisable skipping host from scan based on errors

-redactredact given list of keys from query parameter, request header and body

-resumeResume scan using resume.cfg (clustering will be disabled)

-silentdisplay findings only

-streamstream mode - start elaborating without sorting the input

-targettarget URLs/hosts to scan

-no-metadisable printing result metadata in cli output

-passiveenable passive HTTP response processing mode

-profiletemplate profile config file to run

-projectUse a project folder to avoid sending same request multiple times.

-retriesnumber of times to retry a failed request (default 1)

-timeouttime to wait in seconds before timeout (default 10)

-uncoverenable uncover engine

-verboseshow verbose output

-env-varsenable environment variables to be used in template

-headlessenable templates that require headless browser support (root user on linux will disable sandbox)

-no-colordisable output content coloring (ANSI escape codes)

-no-httpxdisable httpx probing for non-url input

-no-stdindisable stdin processing

-omit-rawomit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)

-severitytemplates to run based on severity. Possible values: info, low, medium, high, critical, unknown

-templatestemplate file to run

-validatevalidate the passed templates to nuclei

-bulk-sizemaximum number of hosts to be analyzed in parallel per template (default 25)

-client-caclient certificate authority file (PEM-encoded) used for authenticating against scanned hosts

-debug-reqshow all sent requests

-interfacenetwork interface to use for network scan

-tgllist all available tags

-resolversfile containing resolver list for nuclei

-source-ipsource ip address to use for network scan

-tagstemplates to run based on tags

-templatesfolder of templates to run

-timestampenables printing timestamp in cli output

-varcustom vars in key=value format

-workflowslist of workflow or workflow directory to run (comma-separated)

-client-keyclient key file (PEM-encoded) used for authenticating against scanned hosts

-debug-respshow all received responses

-exclude-idtemplates to exclude based on template ids (comma-separated)

-ip-versionIP version to scan of hostname (4,6) - (default 4)

-proxylist of http/socks5 proxy to use

-rate-limitmaximum number of requests to send per second (default 150)

-stats-jsonWrite statistics data to stdout in JSONL(ines) format

-attack-typetype of payload combinations to perform (batteringram,pitchfork,clusterbomb)

-authortemplates to run based on authors

-client-certclient certificate file (PEM-encoded) used for authenticating against scanned hosts

-concurrencymaximum number of templates to be executed in parallel (default 25)

-force-http2force http2 connection on requests

-secret-filepath to config file containing secrets for nuclei authenticated scan

-template-idtemplates to run based on template ids (comma-separated)

-enable-pprofenable pprof debugging server

-exclude-tagstemplates to exclude based on tags (comma-separated)

-exclude-typetemplates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript

-fuzzing-modeoverrides fuzzing mode set in template (multiple, single)

-fuzzing-typeoverrides fuzzing type set in template (replace, prefix, postfix, infix)

-hang-monitorenable nuclei hang monitoring

-headercustom list of headers/cookies to include in all http requests in header:value

-health-checkrun diagnostic check up

-include-tagstags to be executed even if they are excluded either by default or configuration

-metrics-portport to expose nuclei metrics on (default 9092)

-page-timeoutseconds to wait for each page in headless mode (default 20)

-profile-listlist community template profiles

-project-pathUse a user defined project folder. Temporary folder is used if not specified but enabled.

-scan-all-ipsscan all the IP's associated with dns record

-template-urltemplate urls to run (comma-separated)

-workflow-urlworkflow urls to run (comma-separated)

-exclude-hostshosts to exclude to scan from the input list (ip, cidr, hostname)

-max-redirectsmax number of redirects to follow for http templates (default 10)

-new-templatesrun only new templates added in latest nuclei-templates release

-no-interactshdisable interactsh server for OAST testing, exclude OAST based templates

-omit-templateomit encoded template in the JSON, JSONL output

-report-confignuclei reporting module configuration file

-scan-strategystrategy to use while scanning(auto/host-spray/template-spray) (default auto)

-show-var-dumpshow variables dump for debugging

-system-chromeuse local installed Chrome browser instead of nuclei installed

-targetfolder containing files to execute file templates on

-template-urllist of template urls to run

-uncover-delaydelay between uncover query requests in seconds (0 to disable) (default 1)

-uncover-fielduncover fields to return (ip,port,host) (default ip:port)

-uncover-limituncover results to return (default 100)

-uncover-queryuncover search query

-workflow-urllist of workflow urls to run

-automatic-scanautomatic web scan using wappalyzer technology detection to tags mapping

-js-concurrencymaximum number of javascript runtimes to be executed in parallel (default 120)

-tllist all available templates

-matcher-statusdisplay match failure status

-max-host-errormax errors for a host before skipping from scan (default 30)

-proxy-internalproxy all internal requests

-stats-intervalnumber of seconds to wait between showing a statistics update (default 5)

-templateslist of template to run

-uncover-engineuncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan)

-workflowslist of workflow or workflow directory to run

-exclude-idtemplates to exclude based on template ids

-show-match-lineshow match lines for file templates, works with extractors only

-tls-impersonateenable experimental client hello (ja3) tls randomization

-exclude-matcherstemplate matchers to exclude in result

-exclude-severitytemplates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown

-follow-redirectsenable following redirects for http templates

-headless-optionsstart headless chrome with additional options

-interactsh-tokenauthentication token for self-hosted interactsh server

-no-strict-syntaxDisable strict syntax check on templates

-prefetch-secretsprefetch secrets from the secrets file

-system-resolversuse system DNS resolving as error fallback

-template-idtemplates to run based on template ids

-track-erroradds given error to max-host-error watchlist

-dialer-keep-alivekeep-alive duration for network requests.

-disable-redirectsdisable redirects for http templates

-vvdisplay templates loaded for scan

-exclude-tagstemplates to exclude based on tags

-exclude-templatestemplate or template directory to exclude (comma-separated)

-include-tagstags to be executed even if they are excluded either by default or configuration

-include-templatestemplates to be executed even if they are excluded either by default or configuration

-interactsh-serverinteractsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)

-list-dsl-functionlist all supported DSL function signatures

-rate-limit-minutemaximum number of requests to send per minute

-templates-versionshows the version of the installed nuclei-templates

-uncover-ratelimitoverride ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)

-disable-clusteringdisable clustering of requests

-headless-bulk-sizemaximum number of headless hosts to be analyzed in parallel per template (default 10)

-input-read-timeouttimeout on input read (default 3m0s)

-response-size-readmax response size to read in bytes (default 10485760)

-response-size-savemax response size to read in bytes (default 1048576)

-template-conditiontemplates to run based on expression condition

-templatestemplate directory to run

-leave-default-portsleave default HTTP/HTTPS ports (eg. host:80,host:443

-payload-concurrencymax payload concurrency for each template (default 25)

-stop-at-first-matchstop processing HTTP requests after the first match (may break template/workflow logic)

-disable-update-checkdisable automatic nuclei/templates update check

-headless-concurrencymaximum number of headless templates to be executed in parallel (default 10)

-list-headless-actionlist available headless actions

-exclude-matcherstemplate matchers to exclude in result

-follow-host-redirectsfollow redirects on the same host

-interactions-evictionnumber of seconds to wait before evicting requests from cache (default 60)

-new-templates-versionrun new templates added in specific version

-exclude-templatestemplate or template directory to exclude

-include-templatestemplates to be executed even if they are excluded either by default or configuration

-allow-local-file-accessallows file (payload) access anywhere on the system

-interactions-cache-sizenumber of requests to keep in the interactions cache (default 5000)

-interactions-poll-durationnumber of seconds to wait before each interaction poll request (default 5)

-interactions-cooldown-periodextra time for interaction polling before exiting (default 5)

-restrict-local-network-accessblocks connections to the local / private network