Nerd Level Tech logo
|
Lesson 15 of 24

Dynamic Testing & Runtime Security

API Security Testing with Nuclei

3 min read

Nuclei is a fast, template-based vulnerability scanner perfect for API security testing. Its YAML templates make it easy to write custom security checks.

Why Nuclei for APIs

Feature Benefit
Template-based Easy to customize and share
Fast Concurrent scanning, minimal overhead
Extensible 7000+ community templates
CI/CD friendly JSON/SARIF output, exit codes
API-focused OpenAPI/Swagger support

Installation

# macOS
brew install nuclei

# Linux
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Docker
docker pull projectdiscovery/nuclei:latest

# Update templates
nuclei -update-templates

Basic Usage

# Scan a single URL
nuclei -u https://api.example.com -t http/

# Scan with specific templates
nuclei -u https://api.example.com -t cves/ -t exposed-panels/

# Scan from OpenAPI spec
nuclei -u https://api.example.com/openapi.json -t http/exposures/

# Output to JSON
nuclei -u https://api.example.com -json -o results.json

API Security Templates

Common API Vulnerabilities

# Test for common API issues
nuclei -u https://api.example.com \
  -t http/exposures/apis/ \
  -t http/misconfiguration/ \
  -t http/vulnerabilities/

OWASP API Top 10 Coverage

OWASP API Risk Nuclei Templates
Broken Object Level Auth http/exposures/apis/
Broken Authentication http/default-logins/
Excessive Data Exposure http/exposures/
Lack of Resources Limiting Custom rate-limit checks
BFLA http/misconfiguration/
Mass Assignment Custom templates
Security Misconfiguration http/misconfiguration/
Injection http/vulnerabilities/
Improper Asset Management http/technologies/
Insufficient Logging Custom templates

Custom API Template

Create custom templates for your specific APIs:

# .nuclei/templates/api-auth-bypass.yaml
id: api-auth-bypass

info:
  name: API Authentication Bypass
  author: your-team
  severity: high
  description: Tests for missing authentication on API endpoints
  tags: api,auth,bypass

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/users"
      - "{{BaseURL}}/api/v1/admin/settings"
      - "{{BaseURL}}/api/v1/internal/debug"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - '"users"'
          - '"data"'
          - '"settings"'
        condition: or

CI/CD Integration

GitHub Actions

# .github/workflows/nuclei-api.yml
name: API Security Scan

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 3 * * *'

jobs:
  nuclei:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nuclei
        uses: projectdiscovery/nuclei-action@main
        with:
          target: https://api.example.com
          templates: |
            http/exposures/
            http/misconfiguration/
            http/vulnerabilities/
          output: nuclei-results.txt
          sarif-export: nuclei-results.sarif
          flags: "-severity critical,high,medium"

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: nuclei-results.sarif

Scanning OpenAPI Specifications

- name: Generate targets from OpenAPI
  run: |
    # Extract endpoints from OpenAPI spec
    curl -s ${{ secrets.API_SPEC_URL }} | \
      jq -r '.paths | keys[]' | \
      sed "s|^|https://api.example.com|" > targets.txt

- name: Run Nuclei on API endpoints
  run: |
    nuclei -l targets.txt \
      -t http/vulnerabilities/ \
      -severity critical,high \
      -json -o results.json

Advanced Features

Rate Limiting

# Limit requests per second
nuclei -u https://api.example.com -rate-limit 10

# Concurrent requests
nuclei -u https://api.example.com -concurrency 5

Authenticated Scanning

# With custom headers
nuclei -u https://api.example.com \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "X-API-Key: $API_KEY"

# With cookies
nuclei -u https://api.example.com \
  -H "Cookie: session=abc123"

Workflow Templates

Chain multiple checks:

# workflow-api-audit.yaml
id: api-security-audit
info:
  name: Complete API Security Audit
  author: your-team
workflows:
  - template: http/technologies/
  - template: http/exposures/apis/
  - template: http/vulnerabilities/
  - template: custom/api-auth-bypass.yaml

Nuclei vs ZAP for APIs

Aspect Nuclei ZAP
Speed Very fast Slower
Templates 7000+ YAML Scripted
Learning curve Low Medium
Deep crawling Limited Excellent
Custom checks Easy (YAML) Complex
Best for Quick scans, CI/CD Thorough testing

Next, we'll explore Runtime Application Self-Protection (RASP). :::

Quiz

Module 4: Dynamic Testing & Runtime Security

Take Quiz