Nuclei supports multiple network protocols, enabling comprehensive security testing across different layers and services. Each protocol implementation provides specialized capabilities for its domain.
Supported protocols Nuclei currently supports 10 distinct protocols:
HTTP Web application testing with full HTTP/HTTPS support
DNS DNS queries and subdomain enumeration
TCP/Network Raw TCP socket connections and network services
SSL/TLS SSL/TLS certificate and configuration testing
Websocket Websocket connection testing
WHOIS Domain and IP WHOIS lookups
File Local file system scanning
Headless Browser-based testing with Chrome/Chromium
Code Multi-language code execution (Go, Python, etc.)
JavaScript JavaScript-based network protocol implementations
HTTP protocol The most commonly used protocol for web application security testing.
Basic HTTP request id : basic-http-example info : name : Basic HTTP Request author : pdteam severity : info http : - method : GET path : - "{{BaseURL}}/admin" - "{{BaseURL}}/dashboard" headers : User-Agent : "Nuclei Scanner" X-Custom-Header : "test" matchers : - type : status status : - 200 - 403
Raw HTTP requests For precise control over HTTP requests:
id : basic-raw-query-example info : name : Test RAW GET Query Template author : pdteam severity : info http : - raw : - | GET ?test=nuclei HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} matchers : - type : word words : - "Test is test raw-get-query-matcher text"
POST requests with JSON id : basic-post-json-body info : name : Basic POST JSON Body Request author : pdteam severity : info http : - method : POST path : - "{{BaseURL}}" headers : Content-Type : application/json Content-Length : 1 body : '{"username":"test","password":"nuclei"}' matchers : - type : word words : - "This is test post-json-body matcher text"
HTTP protocol supports GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS methods and can handle cookies, redirects, and authentication.
DNS protocol DNS queries for subdomain enumeration and DNS-based detection.
DNS query types A Record
CNAME Record
TXT Record
id : dns-a-query-example info : name : Test DNS A Query Template author : pdteam severity : info dns : - name : "{{FQDN}}" type : A class : inet recursion : true retries : 3 matchers : - type : word words : - "1.1.1.1"
id : dns-cname-query info : name : DNS CNAME Query author : pdteam severity : info dns : - name : "{{FQDN}}" type : CNAME class : inet recursion : true matchers : - type : word words : - "cloudfront.net"
id : dns-txt-query info : name : DNS TXT Record Query author : pdteam severity : info dns : - name : "{{FQDN}}" type : TXT class : inet matchers : - type : regex regex : - "v=spf1.*"
Supported DNS record types
A - IPv4 address recordsAAAA - IPv6 address recordsCNAME - Canonical name recordsNS - Name server recordsTXT - Text recordsMX - Mail exchange recordsPTR - Pointer recordsSRV - Service recordsSOA - Start of authorityCAA - Certificate authority authorizationTLSA - TLSA certificate association
Network (TCP) protocol Raw TCP socket connections for testing network services.
id : basic-network-request info : name : Basic Network Request author : pdteam severity : info network : - host : - "{{Hostname}}" inputs : - data : "PING \r\n " read-size : 4 matchers : - type : word part : data words : - "PONG"
Multi-step network requests id : multi-step-network info : name : Multi-Step Network Protocol author : pdteam severity : info network : - host : - "{{Hostname}}:{{Port}}" inputs : - data : "HELLO \r\n " - data : "AUTH admin \r\n " - data : "QUERY \r\n " read-size : 1024 matchers : - type : word words : - "OK AUTHENTICATED"
Network protocol requires explicit host and port specification. Use {{Hostname}}:{{Port}} for dynamic targets.
SSL/TLS protocol SSL/TLS certificate and configuration testing.
id : basic-ssl info : name : Basic SSL Request author : pdteam severity : info ssl : - address : "{{Host}}:{{Port}}" matchers : - type : dsl dsl : - "probe_status == true"
SSL certificate validation id : ssl-cert-check info : name : SSL Certificate Validation author : pdteam severity : medium ssl : - address : "{{Host}}:{{Port}}" matchers : - type : dsl dsl : - "contains(subject_cn, 'example.com')" - "not_after > now()" condition : and - type : word words : - "TLS 1.0" - "TLS 1.1" condition : or
Websocket protocol Websocket connection and message testing.
id : basic-request info : name : Basic Request author : pdteam severity : info websocket : - address : '{{Scheme}}://{{Hostname}}' inputs : - data : hello matchers : - type : word words : - world part : response
WHOIS protocol Domain and IP WHOIS information retrieval.
id : whois-query info : name : WHOIS Information Query author : pdteam severity : info whois : - query : "{{FQDN}}" matchers : - type : regex regex : - "Registrar: GoDaddy"
File protocol Local file system scanning for sensitive files and configurations.
id : file-check info : name : Local File Check author : pdteam severity : medium file : - extensions : - all extractors : - type : regex regex : - "(?i)password \\ s*= \\ s*[' \" ]([^' \" ]+)"
File protocol requires the -l flag with a file path or directory to scan.
Headless protocol Browser automation for JavaScript-heavy applications.
id : headless-example info : name : Headless Browser Test author : pdteam severity : info headless : - steps : - action : navigate args : url : "{{BaseURL}}" - action : waitload - action : click args : by : xpath xpath : '//button[@id="submit"]' - action : screenshot matchers : - type : word part : body words : - "Success"
Headless protocol requires Chrome/Chromium and must be enabled with -headless flag.
Code protocol Multi-language code execution for cloud and infrastructure checks.
id : code-example info : name : Code Protocol Example author : pdteam severity : info code : - engine : - go - python source : | package main import "fmt" func main() { // Custom security check logic fmt.Println("Check result") }
Code protocol templates must be digitally signed and require -code flag to execute.
JavaScript protocol JavaScript-based network protocol implementations.
id : javascript-example info : name : JavaScript Protocol author : pdteam severity : info javascript : - code : | let conn = new net.Open('tcp', Host + ':' + Port); conn.Send('PING\r\n'); let resp = conn.RecvString(); log(resp); matchers : - type : word words : - "PONG"
Protocol comparison Protocol Use case Authentication Multi-step HTTP Web applications Yes Yes DNS Domain enumeration No No Network Network services Manual Yes SSL Certificate testing No No Websocket Real-time apps Yes Yes WHOIS Domain info No No File Local scanning N/A No Headless JavaScript apps Yes Yes Code Infrastructure N/A Yes JavaScript Custom protocols Manual Yes
Protocol selection guide
Identify target
Determine what you’re testing - web app, network service, or infrastructure
Choose protocol
Select the protocol that best matches your target’s communication method
Check requirements
Verify if special flags or setup are needed (headless, code signing, etc.)
Build template
Create template using protocol-specific syntax and operators
Multi-protocol templates Combine multiple protocols for comprehensive testing:
id : multi-protocol-template info : name : Multi-Protocol Security Check author : pdteam severity : high http : - method : GET path : - "{{BaseURL}}" extractors : - type : regex name : ip_address internal : true regex : - "([0-9]{1,3} \\ .[0-9]{1,3} \\ .[0-9]{1,3} \\ .[0-9]{1,3})" dns : - name : "{{FQDN}}" type : A matchers : - type : word words : - "{{ip_address}}" network : - host : - "{{ip_address}}:443" inputs : - data : "PING \r\n "
Templates Template structure basics
Matchers Protocol-specific matchers
Operators Using operators with protocols