Fuzzing templates are used with nuclei scanner which powers the actual scanning engine. This repository contains various fuzzing templates for the scanner provided by our team, as well as contributed by the community.
We welcome contributions from the community through pull requests or issues to increase the coverage of security testing. Unlike the nuclei-templates project, which focuses on known vulnerabilities, fuzzing templates are specifically designed to discover previously unknown vulnerabilities in applications.
Please navigate to https://nuclei.projectdiscovery.io/templating-guide/protocols/http-fuzzing/ for detailed documentation to build your own fuzzing template. We have also added a set of templates to help you understand how things work.
🌪️ Using Fuzzing Templates
- Install Nuclei
go install -v github.com/projectdiscovery/nuclei/v2/cmd/[email protected]
- Clone Fuzzing Templates
git clone https://github.com/projectdiscovery/fuzzing-templates.git
- Run Fuzzing Templates
Input for fuzzing templates:
Current fuzzing support is limited to URLs with with query parameters, so any urls with no query parameters will be simply ignored.
$ cat fuzz_endpoints.txt http://127.0.0.1:8082/info?name=test&another=value&random=data http://127.0.0.1:8082/redirect?redirect_url=/info?name=redirected_from_url http://127.0.0.1:8082/request?url=https://example.com http://127.0.0.1:8082/email?text=important_user http://127.0.0.1:8082/permissions?cmd=whoami http://127.0.0.1:8082/info?name=redirected_from_url
You can use katana with query url filter (
-f qurl) to get list of endpoints to run with url fuzzing templates
Running fuzzing templates:
nuclei -t fuzzing-templates -list fuzz_endpoints.txt
You can use existing nuclei options to filter / run specific directory / sub directory / templates or tags
Got questions / doubts / ideas to discuss? Feel free to open a discussion on GitHub discussions board.
You are welcome to join the active Discord Community to discuss directly with project maintainers and share things with others around security and automation. Additionally, you may follow us on Twitter to be updated on all the things about Nuclei.
Thanks again for your contribution and keeping this community vibrant. ❤️