Nuclei Cheat Sheet (Basic → Advanced)

🔰 Nuclei Cheat Sheet (Basic → Advanced) | by Dhruv - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original 🔰 Nuclei Cheat Sheet (Basic → Advanced) Nuclei is developed by ProjectDiscovery and works best when combined with recon tools like Subfinder, Httpx, Naabu and testing tools like… Dhruv Follow ~3 min read · March 23, 2026 (Updated: March 23, 2026) · Free: Yes Nuclei is developed by ProjectDiscovery and works best when combined with recon tools like Subfinder, Httpx, Naabu and testing tools like Burp Suite. 1️. Installation Install Nuclei go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest Update Templates nuclei -update-templates Templates location: ~/.local/nuclei-templates/ 2️. Basic Scanning Scan Single Target nuclei -u https://target.com Scan Multiple Targets nuclei -l targets.txt Example targets.txt : https://site1.com https://site2.com https://site3.com 3️. Severity-Based Scanning Focus on valuable bugs. nuclei -l targets.txt -severity critical,high,medium Severity levels: info low medium high critical 4️. Scan Specific Template Categories nuclei -u https://target.com -t cves/ Common directories: cves/ vulnerabilities/ misconfiguration/ exposures/ default-logins/ takeovers/ 5️. Scan Using Tags nuclei -u https://target.com -tags sqli,xss,lfi Popular bug bounty tags: rce ssrf sqli xss lfi takeover misconfig 6️. Save Scan Results Save to File nuclei -l targets.txt -o results.txt JSON Output nuclei -l targets.txt -json -o results.json Useful for automation pipelines. 7️. Scan CVEs nuclei -l targets.txt -t cves/ This checks known vulnerabilities. 8️. Technology Detection Scan First detect technologies with Httpx. httpx -l domains.txt -tech-detect Then run nuclei: nuclei -l domains.txt -tags tech 9️. High-Speed Scanning Control concurrency and rate. nuclei -l targets.txt -c 50 -rl 150 Options: -c concurrency -rl rate limit Example fast scan: nuclei -l targets.txt -c 100 -rl 300 10. Debug Mode Helps understand template behavior. nuclei -u https://target.com -debug 11. Proxy Through Burp Suite Use with Burp Suite for manual testing. nuclei -l targets.txt -proxy http://127.0.0.1:8080 Useful for: request analysis payload testing false positive verification 12. Scan JavaScript Files Many hidden APIs exist in JS. cat js_urls.txt | nuclei Or: nuclei -l js_urls.txt -tags xss,sqli 13. OOB Vulnerability Detection Detect blind bugs using Interactsh. nuclei -l targets.txt -tags ssrf,oob Detects: Blind SSRF Blind XSS XXE Blind RCE 14 Workflows (Advanced) Automate template chains. nuclei -l targets.txt -w workflows/ Example workflow: detect tech run CVE templates check misconfigurations 15. Scan Misconfigurations Many bug bounties come from this. nuclei -l targets.txt -tags misconfig Finds: open dashboards exposed admin panels default passwords 16. Scan for Subdomain Takeovers nuclei -l subdomains.txt -tags takeover Common bounty finding. 17. Custom Template Scanning Run your own templates. nuclei -u https://target.com -t custom_templates/ 18. Full Bug Bounty Pipeline Example recon workflow. subfinder -d target.com -silent | httpx -silent | nuclei -severity medium,high,critical Steps: Subdomain discovery → Subfinder Live host detection → Httpx Vulnerability scanning → Nuclei 19. Port + Service Scanning Combine with Naabu. naabu -host target.com | httpx | nuclei Detects vulnerabilities on exposed services. 20. Elite Bug Bounty One-Liner Many professional hunters use pipelines like: subfinder -d target.com -silent | \ httpx -silent | \ nuclei -severity medium,high,critical -c 100 -rl 300 Fast recon → vulnerability discovery . 🔥 High-Value Nuclei Tags for Bug Bounty Focus on these: rce ssrf sqli xss lfi takeover misconfig default-login exposure ⚡ Pro Tips (Used by Top Hunters) Always update templates nuclei -update-templates Scan only live domains httpx → nuclei Prioritize these findings exposed admin panels cloud misconfigurations default credentials backup files 🧠 Pro Bug Bounty Stack Most hunters combine: Subfinder Amass Httpx Naabu Nuclei Burp Suite Tools by ProjectDiscovery are extremely popular in recon automation. _________________________________________________________________ If you want more Content about Cybersecurity and Penetration Testing Then don't Forgot To Follow Us SHARE & SUPPORT ⚡️✅ ❤️ _________________________________________________________________ #nucleus #bug-bounty #bug-bounty-tips #web-application-security #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).