API & Mobile Security
Automation & Nuclei Templates
3 min read
Automation scales your bug hunting. Nuclei is THE vulnerability scanner for bug bounty hunters in 2026—fast, extensible, and community-powered.
Why Automate?
| Manual Testing | Automated Testing |
|---|---|
| Hours per target | Minutes per target |
| Deep, focused | Broad coverage |
| High-quality findings | Volume findings |
| Burnout risk | Sustainable |
Best approach: Automate recon and known vulnerabilities, manually test business logic.
Nuclei Fundamentals
Basic Usage
# Single target
nuclei -u https://example.com
# Multiple targets
nuclei -l targets.txt
# Specific tags
nuclei -u https://example.com -tags cve,xss,sqli
# Specific severity
nuclei -u https://example.com -severity critical,high
# Update templates
nuclei -update-templates
Template Categories
| Category | Description | Count (2026) |
|---|---|---|
| cves | Known CVEs | 5,000+ |
| exposures | Exposed files/configs | 1,000+ |
| vulnerabilities | Generic vulns | 500+ |
| misconfiguration | Server misconfigs | 300+ |
| technologies | Tech detection | 400+ |
Output Options
# JSON output
nuclei -l targets.txt -json -o results.json
# Markdown report
nuclei -l targets.txt -me reports/
# Silent mode (minimal output)
nuclei -l targets.txt -silent -o findings.txt
# Rate limiting (be nice to targets)
nuclei -l targets.txt -rate-limit 10
Writing Custom Templates
Basic Template Structure
id: my-custom-check
info:
name: Custom Vulnerability Check
author: your-name
severity: medium
description: Check for specific vulnerability
tags: custom,webapp
requests:
- method: GET
path:
- "{{BaseURL}}/admin"
matchers:
- type: status
status:
- 200
- type: word
words:
- "Admin Dashboard"
condition: and
Advanced Matchers
requests:
- method: GET
path:
- "{{BaseURL}}/.env"
matchers:
- type: word
words:
- "DB_PASSWORD"
- "APP_KEY"
condition: or
- type: status
status:
- 200
matchers-condition: and
Using Variables & Payloads
id: sqli-error-based
requests:
- method: GET
path:
- "{{BaseURL}}/search?q={{payload}}"
payloads:
payload:
- "' OR '1'='1"
- "1' AND '1'='1"
- "admin'--"
matchers:
- type: word
words:
- "SQL syntax"
- "mysql_fetch"
- "ORA-"
condition: or
POST Request Template
id: login-default-creds
requests:
- method: POST
path:
- "{{BaseURL}}/login"
body: "username={{user}}&password={{pass}}"
payloads:
user:
- admin
- root
pass:
- admin
- password
- 123456
attack: clusterbomb
matchers:
- type: word
words:
- "Welcome"
- "Dashboard"
Template Workflow
id: full-check-workflow
info:
name: Multi-step Check
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/api/version"
extractors:
- type: regex
name: version
regex:
- '"version":"([0-9.]+)"'
- method: GET
path:
- "{{BaseURL}}/api/vuln?v={{version}}"
matchers:
- type: word
words:
- "vulnerable"
Automation Pipeline
Complete Recon + Scan Script
#!/bin/bash
TARGET=$1
OUTPUT="./results/$TARGET"
mkdir -p $OUTPUT
echo "[*] Subdomain enumeration..."
subfinder -d $TARGET -silent > $OUTPUT/subs.txt
echo "[*] HTTP probing..."
cat $OUTPUT/subs.txt | httpx -silent > $OUTPUT/live.txt
echo "[*] Running nuclei..."
nuclei -l $OUTPUT/live.txt \
-severity critical,high,medium \
-o $OUTPUT/nuclei.txt
echo "[*] Checking for exposed configs..."
nuclei -l $OUTPUT/live.txt \
-tags config,exposure \
-o $OUTPUT/exposures.txt
echo "[+] Done! Check $OUTPUT for results"
Continuous Monitoring
# Daily scan with notifications
#!/bin/bash
TARGETS="targets.txt"
PREV="previous-results.json"
CURR="current-results.json"
nuclei -l $TARGETS -json -o $CURR
# Compare for new findings
diff $PREV $CURR > new-findings.txt
if [ -s new-findings.txt ]; then
# Send notification (Slack, Discord, email)
curl -X POST -d @new-findings.txt $WEBHOOK_URL
fi
mv $CURR $PREV
Best Practices
- Rate limit: Don't overwhelm targets
- Update regularly:
nuclei -update-templates - Custom templates: Build for your specific targets
- Combine with manual: Automate what's automatable
- Monitor changes: New features = new bugs
Pro Tip: The best hunters write custom templates for vulnerabilities they find manually—turning one finding into many.
Next, we'll cover vulnerability chaining for maximum impact. :::