Replies: 1 comment
-
|
Hi @di-ao , Your feature request is well-articulated and addresses a real pain point for large-scale, precision scanning. Supporting target-specific tags via JSONL input would indeed make Nuclei far more efficient for asset-driven workflows — especially when paired with external fingerprinting tools. I’d encourage you to:
Great idea — hope it gets implemented soon! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Is your feature request related to a problem? Please describe.
I am building an automated scanning system where I use a specialized fingerprinting tool (like ObserverWard or TideFinger) before running Nuclei. This external tool identifies technologies more accurately for my specific targets (e.g., identifying localized CMS or specific middleware) than the built-in Wappalyzer engine used by the
-asflag.I have a list of 1000+ targets, and for each target, I already know exactly which tags need to be scanned.
For example:
http://target-A.com-> identified asThinkPHP-> should only run templates withtags: thinkphphttp://target-B.com-> identified asTomcat-> should only run templates withtags: tomcatCurrent Limitations:
nucleimultiple times (e.g., once for ThinkPHP targets, once for Tomcat targets), the overhead of engine initialization is high, and I end up with fragmented report files that are hard to merge.-as: This forces Nuclei to re-fingerprint the targets using its internal engine, ignoring my external fingerprint results. It wastes time and might miss the specific tech I already identified.javascriptprotocol triggers or DSL matchers to route targets based on string matching (e.g.,contains(BaseURL, ':8080')). However, this is complex to generate dynamically for thousands of targets, and passing the context correctly without sending redundant requests is difficult.Solution
I would like to support a JSONL input format (or a config file) where I can specify the
tags(or template IDs) for each specific target within a single Nuclei execution.Proposed Input Format (e.g.,
targets.jsonl):{"url": "http://127.0.0.1:88", "tags": ["thinkphp", "rce"]} {"url": "http://127.0.0.1:89", "tags": ["tomcat"]} {"url": "http://example.com", "tags": ["shiro", "cve"]}Proposed Command:
Expected Behavior:
http://127.0.0.1:88, it only loads and executes templates matchingthinkphpandrce.http://127.0.0.1:89, it only loads and executes templates matchingtomcat.Why is this important?
This would allow users to integrate Nuclei into complex scanning pipelines (External Fingerprint -> Nuclei) much more efficiently, avoiding the "spray and pray" approach and enabling precise, asset-driven scanning without the overhead of multiple process executions.
Beta Was this translation helpful? Give feedback.
All reactions